Pages

Monday, April 15, 2019

Remotely terminating a remote session on a Citrix XenApp or RDS server

I’ve been asked several times in the past about the following error that is presented if a user attempts to RDP (remote desktop) to a Citrix XenApp application server:

The target session is incompatible with the current session.

The reason why this message would be presented is because account used for the RDP connection already has an previous ICA session in a disconnected state.  You can verify this by using the net use command to connect to the server, then the query session command to list the sessions on the server:

Step #1 – Connect to the remote server

Launch the command prompt and execute the following:

net use \\<serverName> /user:<adminUserName> <Password>

The command should display the following message if the connection is successful:

The command completed successfully.

Step #2 – Query session on the remote server

Execute the following command to list the sessions on the remote server:

query session /server:<serverName>

The command should display sessions along with the following headings:

  • SESSIONNAME
  • USERNAME
  • ID
  • STATE
  • TYPE
  • DEVICE

Locate the username you are looking as well as the ID number.

Step #3 – Terminate session on the remote server

With the ID of the username you want terminate located, execute the following command to terminate it:

reset session <ID> /server:<serverName>

Step #4 – Confirm that the session on the remote server has been terminated

The command will not provide any output after completion so execute the query session command to confirm that the session has been terminated:

query session /server:<serverName>

Below is an example of the output from the commands executed above:

You should be able to RDP to the server now that the session is no longer present for the account connecting.

Saturday, April 13, 2019

Attempting to upgrade Microsoft Exchange Server 2016 from CU8 to CU12 fails with: “Setup can't continue with the upgrade because the mscorsvw (3152) has open files.”

Problem

You’re attempting to upgrade Microsoft Exchange Server 2016 from CU8 to CU12 but the process fails at the Prerequisite Analysis with:

Setup can't continue with the upgrade because the mscorsvw (3152) has open

files. Close the process, and then restart Setup.

For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.

exch.setupreadiness.ProcessNeedsToBeClosedOnUpgrade.aspx

Solution

This error is typically thrown shortly after a server restart when the .NET framework’s Native Image Generator Technology (NGEN) is running in the background.  It is not a good idea to try and terminate the process and waiting for around 10 minutes is usually enough time for the process to complete depending on how fast the server hardware can complete the operations.

For the environment in this example, it took about 8 minutes for the installer to successfully run:

Friday, April 12, 2019

Attempting to enable a user for Unified Messaging in Exchange Server 2016 fails with: "Extension xxxx is already assigned to another user on the dial plan UMDialPlan or on an equivalent dial plan."

Problem

You attempt to enable a user for Unified Messaging in Exchange Server 2016 but receive the following error:

Extension xxxx is already assigned to another user on the dial plan UMDialPlan or on an equivalent dial plan.

You know that this extension was previously assigned to another user so you search for the previous user and can confirm that Unified Messaging for the user is disabled:

Reviewing the properties of the account’s email address properties confirm there are now EUM addresses:

Executing the following cmdlets does not display this extension assigned to anyone in the dial plan:

Get-UMMailbox | where { $_.Extensions -eq "9533" }

Get-UMMailbox | Format-Table -Wrap -AutoSize > C:\UMExt.txt

You proceed to review the msExchShadowProxyAddresses attribute in the previous user’s AD user account’s properties’ Attribute Editor:

You can see that an eum address with the extension and proceed to remove it.

However, this does not correct the issue as the same error message is thrown.

Solution

I can’t take full credit for the solution but figured it would be worth blogging since it took over an hour for me to locate a cmdlet that was able to find the find the offending user.  This cmdlet can be found on this forum post:

https://social.technet.microsoft.com/Forums/en-US/55dc00d5-2301-49d0-9a02-482d237c339b/exchange-server-2013-enableummailbox-error-extension-2909-is-already-assigned-to-another-user-on?forum=exchangesvrunifiedmessaging

The cmdlet was:

Get-ADobject -filter * -Properties name,msRTCSIP-Line,telephoneNumber,proxyAddresses | Select-Object name,msRTCSIP-Line,telephoneNumber,@{Name="proxyAddresses";Expression={[string]::join(";",( $_ | Select-Object -ExpandProperty proxyaddresses ))}} | Where-Object { $_.proxyAddresses -like "*9533*" } | Format-table -Wrap -AutoSize

This user was also had Unified Messaging disabled:

However, the eum attribute was visible in the properties of the email address settings:

Removing the attributes corrected the issue.

Thursday, April 11, 2019

Attempting to launch a NetScaler published Citrix XenDesktop / XenDesktop application or desktop fails with: “(Unknown client error 0).”

Problem

You attempt to launch a NetScaler published Citrix XenDesktop / XenDesktop application or desktop but immediately receive the following error for the desktop:

The connection to “XenApp Desktop” failed with status (Unknown client error 0).

Launching an application fails with the following message:

Unable to launch your application. Contact your help desk with the following information:

Cannot connect to the Citrix XenApp server.Protocol Driver error

Solution

In the case of this environment, there were 2 issues.

#1 – Certificate on Delivery Controller expired

Reviewing the event logs on the Delivery Controller indicated that the certificate bounded to IIS has expired:

An SSL connection could not be established: The server sent an expired security certificate. The certificate *.domain.int is valid from 10/27/2016 1:45:38 PM until 10/27/2018 1:45:38 PM.. This message was reported from the Citrix XML Service at address https://svr-ctxdc-02.domain.int/scripts/ctxsta.dll[UnknownRequest]. The specified Secure Ticket Authority could not be contacted and has been temporarily removed from the list of active services.

Log Name: Citrix Delivery Services

Source: Citrix Store Service

Event ID: 0

Level: Error

#2 – There were no STAs defined for the NetScaler Virtual Server

Reviewing the settings on the NetScaler virtual server also showed that there were no STAs defined:

Notice how Published Applications was an option on the right side of the Advanced Settings options.

Configuring the appropriate STAs (the Delivery Controllers) should correct the issue:

Wednesday, April 10, 2019

Deleting stuck VMware Horizon View VMs with viewdbchk.cmd

Problem

You have a pool of desktops that are currently in a status / state where you are unable to use the VMware Horizon 7 administrator console to remove:

Deleting (missing)

Maintenance mode (missing)

Solution

Older version of View required the administrator to manually remove references of the VMs from the ADAM database hosted on the View Connection Servers, the entries in the composer SQL database, virtual machine on vCenter (if it exists), as well as the Active Director computer object but newer version such as 7 now provide a tool named viewdbchk.cmd that automates this process.

This command can be found at the following directory:

C:\Program Files\VMware\VMware View\Server\tools\bin

Simply executing this command will provide you with the switches available:

C:\Program Files\VMware\VMware View\Server\tools\bin>viewdbchk.cmd

No command specified

ViewDbChk --findDesktop --desktopName <desktop name> [--verbose]

Find a desktop pool by name.

ViewDbChk --enableDesktop --desktopName <desktop name> [--verbose]

Enable a desktop pool.

ViewDbChk --disableDesktop --desktopName <desktop name> [--verbose]

Disable a desktop pool.

ViewDbChk --findMachine --desktopName <desktop name> --machineName <machine name

> [--verbose]

Find a machine by name.

ViewDbChk --removeMachine --machineName <machine name> [--desktopName <desktop n

ame>] [--force] [--noErrorCheck] [--verbose]

Remove a machine from a desktop pool.

ViewDbChk --scanMachines [--desktopName <desktop name>] [--limit <maximum delete

s>] [--force] [--verbose]

Scan all machines for problems. The scan can optionally be limited to a speci

fic desktop pool.

ViewDbChk --help [--commandName] [--verbose]

Display help for all commands, or a specific command.

C:\Program Files\VMware\VMware View\Server\tools\bin>

Using automated scan option to detect problematic virtual machines

The recommended first step to take is to use the scanMachines switch to allow the tool to automatically detect any problematic machines in the pools. Note that the tool needs the pool to be disabled in order for it to scan it and it is best to disable provisioning as well to prevent new machines from being provisioned when one is deleted.

Here is a sample of the process with a limit of 200 machines specified:

viewdbchk.cmd --scanMachines --limit 200

C:\Program Files\VMware\VMware View\Server\tools\bin>viewdbchk.cmd --scanMachine

s --limit 200

Checking for machines with errors...

Connecting to vCenter "https://contukvc01.contoso.com:443/sdk". This m

ay take some time...

Connecting to vCenter "https://contdrvc01.contoso.com:443/sdk". This m

ay take some time...

Found 35 machine(s) with errors in 4 desktop pool(s)

Processing desktop pool "cont_disaster_recovery"

Desktop Pool Name: cont_Disaster_Recovery

Desktop Pool Type: STICKY_TYPE

VM Folder: /UK DR/vm/VM View/cont_Disaster_Recovery/

Desktop Pool Disabled: true

Desktop Pool Provisioning Enabled: false

Checking connectivity...

Machine "contDR-008" has errors

VM Name: contDR-008

Creation Date: 9/24/18 9:21:43 PM BST

MOID: vm-10521

VM Folder: /UK DR/vm/VM View/cont_Disaster_Recovery/contDR-008

VM State: MAINTENANCE

VM Missing In vCenter: true

Do you want to remove the desktop machine "contDR-008"? (yes/no):

As shown above, the tool will prompt you with the suspected problematic virtual desktop name and ask if you would like to remove it. It is important that you verify the virtual machine identified is indeed a machine you would like to delete as you cannot reverse the process.

Selecting yes to the machine will output the following:

Do you want to remove the desktop machine "contDR-008"? (yes/no):yes

Shutting down VM "/UK DR/vm/VM View/cont_Disaster_Recovery/contDR-008"...

** ERROR: EXCEPTION: VM not found: vm-10521 **

Removing VM "/UK DR/vm/VM View/cont_Disaster_Recovery/contDR-008" from inventory..

.

** ERROR: EXCEPTION: VM not found: vm-10521 **

Removing ThinApp entitlements for machine "/UK DR/vm/VM View/cont_Disaster_Recove

ry/contDR-008"...

Removing machine "/UK DR/vm/VM View/cont_Disaster_Recovery/contDR-008" from LDAP..

.

Running delete VM scripts for machine "/UK DR/vm/VM View/cont_Disaster_Recovery/T

MRDR-008"...

Machine "contDR-004" has errors

VM Name: contDR-004

Creation Date: 9/24/18 9:21:43 PM BST

MOID: vm-10520

VM Folder: /UK DR/vm/VM View/cont_Disaster_Recovery/contDR-004

VM State: MAINTENANCE

VM Missing In vCenter: true

Do you want to remove the desktop machine "contDR-004"? (yes/no):

The tool will proceed with scanning other machines once the earlier problematic machine has been deleted. Once all of the identified VMs are deleted, the tool will ask if you would like to re-enable provisioning if it is currently disabled:

With the pass of the first pool completed, it will move onto the next pool but if the pool is not disabled then it will ask if I can be disabled. This is obviously potentially service impacting so if the pool is in production and being used, select no.

Checking connectivity...

The desktop pool "Standard_Desktop" must be disabled before proceeding. Do

you want to disable the desktop pool? (yes/no):

Manually identifying problematic virtual machines and removing them

There will be times when the scanMachines switch would not be able to identify problematic machines. An example of this would be pools that are stuck in the Deleting state:

You can find these machines in the Machine view but unable to click into the pool itself:

The method to remove these machines would be to manually specify the machine name and the pool using the removeMachine switch. The following is an example of the cmdlet:

viewdbchk.cmd --removeMachine --machineName UKVD-050 --desktopName Building__VMs

The following is an example of the output:

C:\Program Files\VMware\VMware View\Server\tools\bin>viewdbchk.cmd --removeMachi

ne --machineName contUKVD-050 --desktopName Building__VMs

Looking for desktop pool "Building__VMs" in LDAP...

Desktop Pool Name: Building__VMs

Desktop Pool Type: STICKY_TYPE

VM Folder: /Hemel Hempstead/vm/contE UK Windows 10 VDI/London/Gold 2vCPU - 8GB

RAM/Building__VMs/

Desktop Pool Disabled: true

Desktop Pool Provisioning Enabled: false

Desktop Pool Provisioning Error: The task was canceled by a user.

Looking for machine "/Hemel Hempstead/vm/contE UK Windows 10 VDI/London/Gold 2vCP

U - 8GB RAM/Building__VMs/contUKVD-050" in vCenter...

Connecting to vCenter "https://contukvc01.contoso.com:443/sdk". This m

ay take some time...

** ERROR: NOT FOUND **

Checking connectivity...

Found machine "contUKVD-050"

VM Name: contUKVD-050

Creation Date: 3/6/19 6:48:14 AM GMT

MOID:

VM Folder: /Hemel Hempstead/vm/contE UK Windows 10 VDI/London/Gold 2vCPU - 8GB

RAM/Building__VMs/contUKVD-050

VM State: DELETING

VM Missing In vCenter: true

Do you want to remove the desktop machine "contUKVD-050"? (yes/no):Yes

LDAP record for machine "contUKVD-050" is incomplete.

Trying to remove machine by name...

Looking for machine "/Hemel Hempstead/vm/contE UK Windows 10 VDI/London/Gold 2vCP

U - 8GB RAM/Building__VMs/contUKVD-050" in vCenter...

** ERROR: NOT FOUND **

Removing ThinApp entitlements for machine "/Hemel Hempstead/vm/contE UK Windows 1

0 VDI/London/Gold 2vCPU - 8GB RAM/Building__VMs/contUKVD-050"...

Removing machine "/Hemel Hempstead/vm/contE UK Windows 10 VDI/London/Gold 2vCPU -

8GB RAM/Building__VMs/contUKVD-050" from LDAP...

Running delete VM scripts for machine "/Hemel Hempstead/vm/contE UK Windows 10 VD

I/London/Gold 2vCPU - 8GB RAM/Building__VMs/contUKVD-050"...

Provisioning has been disabled for the desktop pool "Building__VMs". Do you want

to enable it? (yes/no):

Repeat the same for all the other VMs and the pool will be successfully removed.

Tuesday, April 9, 2019

Build document for Dell Wyse 7020 thin client with VMware Horizon View client custom shell

As noted in one of my previous posts:

Configuring a custom shell launcher with VMware Horizon View Client on a Dell Wyse 7020 Windows 10 IoT device
http://terenceluk.blogspot.com/2019/03/configuring-custom-shell-launcher-with.html

I was recently involved with building a base image for a Dell Wyse 7020 Windows 10 IoT device that was non-domain joined and used a customized VMware Horizon View shell without access to the desktop for users to log into their virtual desktops.  The build is not quite complete in the way I want it to be due to the time constraint I had to work with but the steps outlined in this blog post should provide a good set of steps as a start.

Base Operating System Image

Windows 10 IoT Maintenance Release

Download the latest Dell provided Windows 10 IoT Enterprise Maintenance Release at the following URL:

https://www.dell.com/support/home/us/en/04/product-support/product/wyse-7020/drivers

Security Patches

Download and install the latest security patches from the following URL:

https://www.dell.com/support/home/us/en/04/product-support/product/wyse-7020/drivers

Base Applications

Remove Unused Applications

TightVNC

Remove the pre-installed TightVNC with the following commands:

cd\
"C:\Program Files\TightVNC\tvnserver.exe" -remove
rmdir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TightVNC" /s /q
rmdir "C:\Program Files\TightVNC" /s /q

Ericom Connect Client

Remove the pre-installed Ericom Connect Client software with the following command:

wmic product where name="Ericom Connect Client" call uninstall

Ericom PowerTerm InterConnect for Thin Clients

Remove the pre-installed Ericom PowerTerm InterConnect for Thin Clients
software with the following command:

wmic product where name="Ericom PowerTerm InterConnect for Thin Clients" call uninstall

Lync VDI Plugin

VMware Horizon View now utilizes a gen 2 Skype for Business Server integration that is built directly into the Horizon View Client so there is no need to have the Lync VDI plug-in installed onto the thin client.  Remove the plug-in by creating the follow XML file:

<Configuration Product="Lyncvdi">
<Display Level="none" CompletionNotice="no" SuppressModal="yes" AcceptEula="yes" />
<Setting Id="SETUP_REBOOT" Value="Never" />
</Configuration>
Then executing this command:
"C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Setup.exe" /UNINSTALL Lyncvdi /config D:\TMRUK-7020\UninstallLync.xml

Then executing this command:

"C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Setup.exe" /UNINSTALL Lyncvdi /config D:\TMRUK-7020\UninstallLync.xml

Operating System Customizations

Remove Unused

Enabled Firewall

Enable the Windows firewall on the Windows 10 IoT operating system.

Disable Display Last User Name

Disable remember credentials for Windows which would also cause the Horizon View client to not remember the previous login via the registry key:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000001

Disable VMware Horizon View Client Shade

Disable the shade of the VMware Horizon View client via the registry key for the User account:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\VMware, Inc.\VMware VDM\Client]
"EnableShade"="false"

**Note that this is added to the local user account’s HKCU.  The HKCM configuration never worked during my testing.

Force Num Lock On

Create the following registry key file (.reg) and import the configuration to force Num Lock on for all profiles.

Windows Registry Editor Version 5.00
[HKEY_USERS\.DEFAULT\Control Panel\Keyboard]
"InitialKeyboardIndicators"="2"
"KeyboardDelay"="1"
"KeyboardSpeed"="31"

Configure Power Plan

The preparation of the image for capture does not retain the Power Plan settings but it is still good to configure it in case future versions of the script does.

Set Power Plan to High Performance

Execute the following command to configure the power plan as High performance:

powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

Turn off Display

Execute the following command to configure the high performance power plan to turn off the display after 15 minutes:

powercfg -x -monitor-timeout-ac 15

Computer Sleep Mode

Execute the following command to configure the high performance power plan to never put the computer to sleep:

powercfg -x -standby-timeout-ac 0

Change Admin and User account credentials

Change the default DellCCCvdi credentials for both the Admin and User account.

Update Credentials for Auto Logon

Update the credentials used for auto logging on the User account:

Configuring Custom Shell for User Account

Refer to one of my earlier posts here:

Configuring a custom shell launcher with VMware Horizon View Client on a Dell Wyse 7020 Windows 10 IoT device
http://terenceluk.blogspot.com/2019/03/configuring-custom-shell-launcher-with.html

Preparing Image for Capture

Execute the Build_Master.cmd in the C:\Windows\Setup folder on the thin client to start the capture wizard:

Fill in the appropriate settings and select the Enable local account credential changes under the Configure local account credentials heading to configure the password for the admin and user account.

Note the following settings that do not end up getting retained after the image preparation:

  1. The name of the Windows OS does not change
  2. The Power Scheme configuration will be reverted back to defaults (monitor and computer would go to sleep)

More information about the Custom Sysprep tool can be found here: https://www.dell.com/support/manuals/us/en/04/wyse-7020/wie10_th_mr4/running-custom-sysprep-tool?guid=guid-5bd77921-f2e6-4c84-b55f-dbffddc1a89f&lang=en-us

Post Image Operation

Customizations

Configure and reconfigure the following customizations that does not get retained after customization.

Configure Computer Name

Configure a unique name for the Windows 10 IoT operating system.

Set Power Plan to High Performance

Execute the following command to configure the power plan as High performance:
powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

Turn off Display

Execute the following command to configure the high performance power plan to turn off the display after 15 minutes:

powercfg -x -monitor-timeout-ac 15

Computer Sleep Mode

Execute the following command to configure the high performance power plan to never put the computer to sleep:

powercfg -x -standby-timeout-ac 0

Prevent User from launching Internet Explorer

Configure the following AppLock rules for the local computer policy to prevent the user from launching Internet Explorer.  Note that this may be able to be bundled into the prebuild but I was not able to test to see if this is retained after the image prep process.

Launch GPEdit.msc and navigate to Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules > Create New Rule…:

Configure the local User with the Action as Deny:

I haven’t had any luck using Path as the Condition so select Publisher:

Click on the Browse button and locate the 32 or 64-bit version of Internet Explorer:

There will not be a need for Exceptions so proceed to the next page:

Leave the name as the default and complete the creation:

Select Yes to create the default rules:

**Repeat the same for the 32 or 64-bit Internet Explorer.

Proceed and create the default rules for the Packaged app Rules:

Force the Application Identity service to automatically start by editing the following registry key (if this isn’t started then AppLocker will not work:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppIDSvc]
"Start"=dword:00000002

Note that would receive an Access is denied error if you attempt to manually configure this in the services console:

Having the above configured will prevent users from launching IE via the About VMware Horizon Client window:

Notes

Limitations

The following are items that need to be highlighted as the build can be improved on but were left out due to the amount of time available for the initial build.

Host name generation

The feature Host Name calculation is supposed to generate a new name for the Windows 10 IoT OS but it does not:

Power Scheme Settings

It should be possible to place the power scheme commands in the scripts that are executed at the end of the preparation but this requires time to identify and test.

Preparation Finalization

The initial build of the image does not complete automatically because the final steps requires the Windows shell but the customization of the User account to be shell-less means the administrator needs to manually log into the thin client as the admin account so the finalization can complete.

AppLocker Configuration

The AppLocker configuration can be included into the base image but due to time constraints, it was not added in.

Further Security Lockdown

AppLocker can be further configured to disable other applications that may be able to be launched within the shell but will require additional time.