Sunday, September 14, 2014

Citrix XenApp 7.5 Site Setup fails when creating a new database

Ran into an interesting issue the other day that was easy to fix but noticed that the error message could be misleading so I thought it would be a good idea to write a blog post in case other encounter this.

Problem

You’re setting up a new Site in XenApp / XenDesktop Studio and would like the wizard to create a new database so you proceed with filling in the database server location and database name as such:

image

You then hit the Test connection button:

image

You receive the prompt:

No database was found on the database server.

To create a database automatically, click OK.

Or, if you would prefer to use the database schema to create a database, click Cancel.

image

You proceed to hit OK to allow the wizard to create a new database:

image

… but notice that you are prompted with the following message:

The current credentials have insufficient privileges to access the database server and perform the necessary operations. Do you wish to enter alternative credentials?

image

You are sure that you’ve logged onto the server to run this wizard with an account that has permissions but go ahead and type in the credentials again:

image

After typing the credentials and hitting the OK button, you are prompted with the same message:

The current credentials have insufficient privileges to access the database server and perform the necessary operations. Do you wish to enter alternative credentials?

image

Solution

What I noticed after a bit of troubleshooting was that the firewall on the SQL server was turned on and as soon as I disabled the firewall, the wizard proceeded:

image

It’s definitely a bit strange that the message would indicate an issue with the account when it’s related to the firewall but I hope this post would serve up a quick answer to those who encounter this.

Saturday, September 13, 2014

Emails to distribution groups do not get delivered while migrating from Exchange 2007 to 2013

I ran into a rather tough issue that got me stumped for a few hours and thought it’s worth blogging.  The problem is that all of a the distribution groups in an environment I’m migrating from Exchange 2007 to 2013 does not get delivered and eventually generates the following bounce back NDR:

Diagnostic information for administrators:
Generating server: exchange2013.contoso.local
Receiving server: exchange2007.contoso.local (192.168.9.2)
secondary@contoso.com
Remote Server at exchange2007.contoso.local (192.168.9.2) returned '400 4.4.7 Message delayed'
9/10/2014 2:54:59 PM - Remote Server at exchange2007.contoso.local (192.168.9.2) returned '441 4.4.1 Error encountered while communicating with primary target IP address: "Failed to connect. Winsock error code: 10061, Win32 error code: 10061." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 192.168.9.2:25'
Original message headers:
Received: from exchange2013-2.contoso.local (10.10.7.33) by exchange2013.contoso.local
(10.10.7.32) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 10 Sep
2014 08:00:54 -0300
Received: from exchange2013-2.contoso.local ([fe80::e183:a641:f02:ceb1]) by
exchange2013-2.contoso.local ([fe80::e183:a641:f02:ceb1%16]) with mapi id
15.00.0847.030; Wed, 10 Sep 2014 08:00:54 -0300
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary
From: Kate Ross <kross@contoso.com>
To: secondary <secondary@contoso.com>
Subject: Wed. Cover/Calendar
Thread-Topic: Wed. Cover/Calendar
Thread-Index: Ac/M5l84/Y7M2h8hSKKr2Unpc4VGhA==
Importance: high
X-Priority: 1
Date: Wed, 10 Sep 2014 08:00:53 -0300
Message-ID: <b1b6f4f8ddd847579cafe082b03e3e85@exchange2013-2.contoso.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: <b1b6f4f8ddd847579cafe082b03e3e85@exchange2013-2.contoso.local>
MIME-Version: 1.0
X-Originating-IP: [10.51.1.102]
Return-Path: kross@contoso.com

The troubleshooting steps I’ve performed are:

Upgrading from Exchange 2007 to 2013

Upgrade the distribution groups from Exchange 2007 to 2013 by first listing the groups’ versions with the cmdlet:

Get-DistributionGroup | fl *version

Then executing:

Get-DistributionGroup | Set-DistributionGroup

Once the above cmdlet is executed, the…

Get-DistributionGroup | fl *version

… cmdlet should now display the version as:

ExchangeVersion : 0.10 (14.0.100.0)

Upgrading Distribution Groups to Universal

Upgrading the distribution groups did not appear to correct the issue so after a bit more troubleshooting, I discovered that all of the groups were still of Global type rather than Universal so I went ahead and upgraded them with:

Get-DistributionGroup | where { $_.Grouptype -Like "Global*" } | Set-Group -Universal

Note that if any of the distribution groups have members or are members of Global groups then the associated groups will also need to be upgraded to Universal.

Removing the homeMTA Attribute

After trying the troubleshooting steps above and still encountering the same messages stuck in the queue with the message:

Next Hop Domain: Exchange2007server.domain.local

Delivery Type: SMTP Relay to specified Exchange servers

Status: Retry

image

With the message details:

Identity: Exchange2013\12736\2598455214130

Subject: Testing123 - No need to reply

Internet Message ID: <ae09691dea2a4c2eb147da76d594518e@BHS-EXMBX-01.domain.local>

From Address: CCS-User@domain.bm

Status: Ready

Size (KB): 7

Message Source Name: SMTP:Default Exchange2013

Source IP: 10.10.7.32

SCL: -1

Date Received: 9/12/2014 10:14:43 PM

Expiration Time: 9/14/2014 10:14:43 PM

Last Error:

Queue ID: Exchange2013\12736

Recipients: staff@domain.bm;2;1;[{LRT=};{LED=};{FQDN=};{IP=}];0;CN=Exchange2007,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local;0

image 

I then started combing through the difference between a newly created distribution group I created with the Exchange 2013 ECP and an existing distribution group that wasn’t working. Using the cmdlet:

Get-DistributionGroup "<distribution group name>" | fl

… did not not show any differences side by side so I went ahead and opened adsiedit comparing the attributes which was when I noticed that the new distribution group created with Exchange 2013 did not have a

image

… while an old distribution group did:

image

As soon as I cleared the attribute from the problematic distribution group, the messages were delivered.

Import-Module ServerManager

Add-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature

Unfortunately, you would need to restart the server before you can import the Active Directory cmdlets with the following import command (I noticed that sometimes I wouldn’t need to run it yet the AD cmdlets would work):

Import-Module ActiveDirectory

Once you have access to the AD cmdlets, you can use the following cmdlet to clear the homeMTA attribute:

Set-ADGroup ‘<distributionGroupName>’ -Clear homeMTA

I originally thought that I could pipe the results from Get-DistributionGroup into Set-ADGroup but that doesn’t work so the way I worked around this was use:

Get-DistributionGroup | FL name > C:\DistroNames.txt

… to get the names of all of the distribution groups in the format:

Name: Distro1

Name: Distro2

… into a text file then opened it in notepad and used a search and replace to format it properly with the Set-ADGroup cmdlet to execute.  Not exactly the most elegant solution but it works.

Friday, September 12, 2014

Unable to connect Android mobile phone to Exchange Server 2013 via ActiveSync

Problem

You’ve completed a new Exchange Server 2013 migration and began testing mobile devices such as Android and iPhone but noticed that while you are able to go through the setup, no mail is synchronized to the smart phone.  Not events are logged in the Application or System logs of the Exchange mailbox and CAS servers. Using the Microsoft Remote Connectivity Analyzer at https://testconnectivity.microsoft.com fails with the following error:

Attempting the FolderSync command on the Exchange ActiveSync session.
  The test of the FolderSync command failed.
   Tell me more about this issue and how to resolve it

  Additional Details

Exchange ActiveSync returned an HTTP 500 response (Internal Server Error).

HTTP Response Headers:
request-id: c257a25d-2589-4c25-8190-491bacfaadb3
X-TargetBEServer: ********.*******.*****

Solution

While there could be other reasons why this error would be thrown, one of the reasons is because the user account you’re trying to set up ActiveSync with does not have inheritance enabled as shown in the following screenshot:

image

Simply enabling inheritance and the phone should begin synchronizing email.

Saturday, August 23, 2014

Migrating a mailbox from Exchange 2007/2010 to Exchange 2013 fails with: “Error: MigrationPermanentException: Active Directory property ‎'homeMDB‎' is not writeable on recipient…”

Problem

You are attempting to migrate Exchange 2007 or 2010 mailboxes to a new Exchange 2013 environment but notice a few mailboxes have failed with the following error message:

Data migrated: 
Migration rate: 
Error: MigrationPermanentException: Active Directory property ‎'homeMDB‎' is not writeable on recipient ‎'domain.local/IT Department/Gary Black‎'. --> Active Directory property ‎'homeMDB‎' is not writeable on recipient ‎'domain.local/IT Department/Gary Black‎'.

image 

Solution

One of the reasons why this error would be thrown is if the user object’s security permissions have inheritance disabled:

image

Enabling inheritance for the user object and re-initiating the migration of the problematic mailbox will correct the issue:

image

Thursday, July 17, 2014

Configuring a NetScaler VPX appliance to publish load balanced XenDesktop 7.x StoreFront servers

I’ve received a few messages over the past few months to ask whether I’ve written a blog post to update two of my previous posts:

Configuring for ICA Proxy with Citrix NetScaler VPX (1000) 10 and XenApp 6.5
http://terenceluk.blogspot.com/2012/10/configuring-for-ica-proxy-with-citrix.html

Configuring Citrix NetScaler VPX (1000) 9.3 for publishing Web Interface server access by authenticating against Active Directory
http://terenceluk.blogspot.com/2012/02/configuring-citrix-netscaler-vpx-1000.html

As I’ve been traveling over the past 2 months, I never got the chance to do so but now that I’m back, I’ve put this as one that I’d write as soon as possible.  Before I begin, please note that the configuration I’m about to demonstrate was simply done through reading Citrix eDocs and a bit of trial and error.  I need to state that I am not a NetScaler expert but I know just enough to get by. Please forgive any mistakes I may have made.

With that out of the way, let’s get this started.

Product Versions

NetScaler VPX

Version: NS10.1
Build: 124.13.nc
Date: Feb 20 2014, 18:53:27

XenDesktop

Version: 7.1

Prerequisites

This blog post will not go into the details of System configuration of the NetScaler but I’ll include screenshots of what configuration used in this example looks like.

System Configuration

IP Addresses

The following are the assignments for the NSIP (NetScaler IP), SIP (Subnet IP) and VIP (Virtual IP) addresses:

NetScaler IP: 172.16.2.10 – Management for NetScaler node 1

Subnet IP: 172.16.2.12 – SIP for NetScaler node 1

Virtual IP: 192.168.50.8 VIP for NetScaler Gateway Virtual Server accessed by internet traffic

Virtual IP: 172.16.2.20 – VIP for NetScaler Gateway Virtual Server accessed by internal network

Virtual IP: 172.16.2.21 – VIP for NetScaler Load Balance Virtual Server

image

Network Routes

As the design of the NetScaler VPX appliance will be dual-homed, routes to the various internal network subnets will need to be configured as shown in the following screenshot:

image

High Availability Pairing

While it is optional, if you have HA configured for the NetScaler, ensure that the high availability pairing is in good health as shown in the following screenshot:

image

Publishing XenDesktop 7 StoreFront on a NetScaler VPX

Traffic Management Configuration

Configure Servers

The purpose of configuring the Servers node is to specify the XenDesktop 7 StoreFront servers in the environment. Navigate to Traffic Management --> Load Balancing --> Servers:

image

Click on the Add… button to open the Create Server window and fill in the following:

Server Name: <A name to identify the StoreFront server>
IP Address: <The IP address of the StoreFront server>

image

Repeat the same procedure for the second StoreFront server:

image

Note the 2 server objects created are now listed in the window:

image

Configure Services

The purpose of configuring the Services node is to define the service or services that the server objects will provide and allow the NetScaler appliance to monitor the service up/down state. The StoreFront servers will be delivering HTTP connectivity so we’ll configure the service by navigating to Traffic Management --> Load Balancing --> Services:

image

Click on the Add… button to open the Create Service window and fill in the following:

Service Name: <A name identifying the server and service>
Server: <Select the server created in the previous step>
Protocol: HTTP
Port: 80

Leave the rest of the settings as the default and a tcp-default with a Weight of 1 will be automatically configured for the service.

image

Note the new service created in the state and the State listed as being up:

image

Repeat the same procedure for the second StoreFront server:

image

Note that the second StoreFront service is now displayed:

image

Opening the properties of the service will that a monitor for tcp-default with a Weight of 1 will be automatically configured for the service:

image

Configure Load Balanced Virtual Servers

With the Servers and Services nodes configured, we can now use these objects to configure a virtual server object representing the two StoreFront servers and the HTTP service they provide. This virtual server will automatically load balance the two StoreFront servers and forward traffic to them if the HTTP service is up. Navigate to Traffic Management --> Load Balancing –> Virtual Servers:

image

Click on the Add… button to open the Create Virtual Server (Load Balancing) window and fill in the following:

Name: <A name identifying the load balanced virtual server>
IP Address: <An IP address assigned for this load balanced virtual server>

Check the checkboxes under the column labeled Active:

image

Click on the Method and Persistence tab and change the Persistence setting from NONE to SOURCEIP:

image

Click on the Create button to create the load balanced virtual server:

image

Note that the new load balanced virtual server is now created with the State listed as being up:

image

All traffic directed to this load balanced virtual server will be split between the two StoreFront servers with the consideration of whether they are accepting HTTP requests. In the event that the server does not accept HTTP requests, the server will be deemed as being down.

Configure HTTP to HTTPS Redirect

It is recommended to configure a HTTP to HTTPS redirect because this would allow users to access the site via HTTP while getting redirected to HTTPS so their credentials are secured. Since the NetScaler will have one IP for users connecting from the internet and one IP for users connecting from the internal corporate network to access the portal, we’ll need two virtual server objects created to redirect requests for the two IPs. To configure the redirects, navigate to Navigate to Traffic Management --> Load Balancing --> Virtual Servers, click Add… and fill in the following:

Name: <A name identifying the redirect for the external virtual server>
IP Address: <The IP address that will be assigned to the external virtual server>

Leave the rest of the settings as the default.

image

image

Click on the Advanced tab and fill in the Redirect URL with https://<URL to Citrix Portal> then click on the Create button to create the virtual server used for redirecting HTTP to HTTPS:

image

Note that it is normal that the virtual server used for redirecting HTTP to HTTPS has the State listed as being down:

image

Repeat the same procedure for the website that will be accessed via the internet network:

image

image

image

image

Configure DNS Servers

While it is possible to use IP addresses to reference servers, it is recommended to use DNS names as much as possible because it makes it easier to modify IP addresses of referenced servers when needed. Note the name servers configured in Traffic Management –> DNS --> Name Servers:

image

NetScaler Gateway Configuration

Configure LDAP Authentication

Servers

In order to allow the NetScaler to proxy the authentication request with Active Directory credentials between the user and the StoreFront server, LDAP authentication server objects need to be created. Navigate to NetScaler Gateway –> Policies –> Authentication --> LDAP and click on the Servers tab:

image

Click on the Add… button to create a new authentication server:

image

Fill in the following in the Create Authentication Server window:

IP Address: The IP address of the domain controller
Port: The port for LDAP (389 is the default)
Base DN (location of users): The distinguish name for the top level OU or container where user accounts are stored. Note that the search is recursive so objects in the sub OUs are also authenticated.
Administrator Bind DN: The UPN of the service account used for searching the Base DN.
Administrator Password: Password for the service account.
Confirm Administrator Pass…: Password for the service account.

The rest of the fields can be left as defaults.

image

Repeat the same procedure for other domain controllers that are available for authentication:

image

Policies

Once the authentication server objects have been created, we can proceed with creating the authentication policies for each authentication server by navigating to NetScaler Gateway –> Policies –> Authentication --> LDAP and click on the Policies tab:

image

Click on the Add… button and fill in the following:

Name: <A name for the authentication server policy>
Server: <Select one of the authentication servers created in the previous step>

image

The NetScaler allows expressions to be defined to restrict clients authenticating (i.e. whether the client has an antivirus scanner) but the design will not include these restrictions and therefore the only expression defined should be True value which equates to no restrictions:

image

image

image

Repeat the procedure for the other authentication servers:

image

image

image

Configure Virtual Servers

The virtual servers in the NetScaler Gateway node represent the actual portal that users connect to which also authenticates on behalf of the user. As the design of the NetScaler is dual-homed. The interface receiving internet traffic will be used for users authenticating from the internet and the interface facing the internal network will be used for internal users and as the callback site for the StoreFront during the proxy authentication request. With this in mind two virtual servers will need to be configured by navigating to NetScaler Gateway --> Virtual Servers:

image

Click on the Add… button and fill in the following:

Fill out the following fields as such:

Name: <The name of the portal (in this case a name for the external site)>
IP Address: <The IP address that external internet users will be connecting to>

Assign the SSL certificate that the site will be using.

**For more information about installing an SSL certificate, please see this post:

Generating CSR and installing certificate on NetScaler VPX 1000
http://terenceluk.blogspot.com/2012/10/generating-csr-and-installing.html

image

Click on the Authentication tab:

image

Right click under the Authentication Policies window with Primary selected and select Insert Policy:

image

Insert the authentication polices that were created earlier:

image

Note that the priority is incremented by a value of 10 where a lower priority denotes a higher preference:

image

Click on the Policies tab:

image

Right click in the Session windows and select Insert Policy:

image

Select New Policy… to create a new policy:

image

Type in a name for the session policy (this example will use PL_ and the IP of the load balanced virtual server) and click on the New button to create a new Request Profile):

image

Type in a name for the session profile (this example will use AC_ and the IP of the load balanced virtual server) and click on the New button to create a new Session Profile):

image

Click on the Client Experience tab, check the Override Global checkbox for Single Sign-on to Web Applications and check the checkbox for Single Sign-on to Web Applications:

image

Click on the Security tab, check the Override Global checkbox for Default Authorization Action and change the setting to ALLOW:

image

Click on the Published Applications tab, enable the Override Global settings for:

  • ICA Proxy
  • Web Interface Address
  • Web Interface Portal Mode
  • Single Sign-on Domain

Fill in the fields as follows:

ICA Proxy: ON
Web Interface Address: http://portal.domain.bm/Citrix/CitrixWeb
Web Interface Portal Mode: Normal
Single Sign-on Domain: <your internal domain for sign on>

Note that the Web Interface Address URL is the address that is passed to the StoreFront server and portal.domain.bm resolves to the load balanced virtual server IP on the NetScaler (172.16.2.21) which will load balance between the two StoreFront servers. A DNS name is used instead of the actual load balanced IP because this would allow future changes to the load balanced IP as simple as updating the DNS record.

Click on the Create button to create the session profile.

image

Note that the Request Profile field now has a profile assigned:

image

Proceed by assigning True value as an expression:

image

Click the Create button to create the policy and note that the new policy has been assigned to the virtual server with a priority of 100:

image

Proceed by clicking on the Published Applications tab:

image

Click on the Add link under the Secure Ticket Authority window and add in the Citrix Delivery Controller Servers that act as the STA (Security Ticket Authority):

  1. http://someDeliveryController1.bm
  2. http://someDeliveryController2.bm
  3. http://someDeliveryController3.bm

Note that IPs of the servers are allowed as well but using DNS names allows us to change the IPs of these servers in the future by simply updating the DNS records.

image

Repeat the process for the other STA servers and click on the Create button to create the new virtual server:

image

image

To confirm that the STA servers are reachable, double click on the virtual server that was just created and navigate to the Published Applications tab to verify that the STAs have the State labelled as being up:

image

Repeat the same procedure for the internal server:

image

image

image

image

We will be reusing the same policy we created earlier named PL_172.16.2.21 for this virtual server:

image

image

Click on the Add link under the Secure Ticket Authority window and add in the Citrix Delivery Controller Servers that act as the STA (Security Ticket Authority):

  1. http://someDeliveryController1.bm
  2. http://someDeliveryController2.bm
  3. http://someDeliveryController3.bm

Note that IPs of the servers are allowed as well but using DNS names allows us to change the IPs of these servers in the future by simply updating the DNS records.

image

image

image

Confirm that the STA servers are reachable by double clicking on the virtual server that was just created and navigate to the Published Applications tab to verify that the STAs have the State labelled as being up:

image

StoreFront Configuration

Configure NetScaler Gateway

The reason why we need to configure the NetScaler Gateway node first is because the object created in here will be referenced during the Stores configuration. Click on Add NetScaler Gateway Appliance:

image

Fill in the following fields:

Display name: <A logical name representing the NetScaler VPX appliance>
NetScaler Gateway URL: <The URL for the StoreFront server to reach the load balanced virtual server configured on the NetScaler (172.16.2.21)>
Version: <Specify the version of the NetScaler appliance>
Subnet IP Address: <The subnet IP (SIP) of the NetScaler appliance>
Logon type: <Select Domain>
Callback URL: <Specify a URL that points to the internal virtual server configured on the NetScaler (172.16.2.20)

image

Once the NetScaler Gateway has been created, proceed by clicking on Secure Ticket Authority:

image

Click on the Secure Ticket Authority link on the right hand pane and enter the following STA servers:

  1. http://AGZENCONT01SRV.belco.bhl.bm
  2. http://AGZENCONT02SRV.belco.bhl.bm
  3. http://AGZENCONT03SRV.belco.bhl.bm

image

Configure Server Group

Ensure that the Base URL is configured as the StoreFront’s server name:

image

Configure Authentication

Enable the following Authentication Method:

  1. User name and password
  2. Domain pass-through
  3. Pass-through from NetScaler Gateway

image

Configure Stores

Click on Enable Remote Access:

image

Configure the following:

Remote access: <Full VPN tunnel>
NetScaler Gateway appliances: <Select the NetScaler Gateway appliance object>
Default appliance: <Select the NetScaler Gateway appliance object>

image

Configure Receiver for Web

No configuration changes are required for the Receiver for Web node.

image

Configure Beacons

No configuration changes are required for the Beacon settings.

image