About Me

My photo
This blog has been created to share technical information, interesting innovations that I notice on daily basis and Architectural/Consulting overview of various technologies. My areas of interest, on which I would be blogging, are VMware, Microsoft and Citrix Technologies. I hope you will enjoy this blog and share your experience with me.

Vulnerability Scanner for WannaCry and NoPetya – VDI environments

With a lot of enterprises in the middle of the WannaCry and NoPetya vulnerability. If you are running a enterprise VDI environment the fix is pretty simple. Just target your Master VM or Golden Master images and run the Windows Update. Once you have updated the image simply Recompose or Push-Image the desktops pools with the latest updates. Your environment is quickly secured! These vulnerability reiterate the importance of regular patching within the production environments for your Core infrastructure + Master Images.

WannaCry Patch for All Windows versions - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Vulnerability Scanner

A quick and easy way to scan your environment is using a free EternalBlue vulnerability scanner. - http://omerez.com/eternalblues/

image

Simply download the scanner and launch it on a Windows VM of your choice on Windows 7/8.1/10.

IP Range:
The tool by default tends to select the /24 subnet. However, if you have a bigger subnet like a /19 to scan simply enter the Start and End of the entire subnet range. In this example its a 192.168.0.0/19. It will scan for 8190 IP addresses.

image

I hope you scan your environment ASAP! Get rid of the vulnerability ASAP!

Thanks,
Aresh

Horizon 7.2 – RDS Farm with View Composer fails on “Customizing”

While creating a RDSH Farm in Horizon 7.2 using View Composer – Linked Clones and Custom Specification Manager the creation would fail on “Customization” within the View Administrator console. Upon investigation within the vCenter the Windows Servers 2012 R2 RDS Session host VM’s where not getting a valid IP and receiving the169.x.x.x APIPA addresses.

After researching quite a bit the most common solution to the problem was:

  • Un-install and re-install vmwaretools
  • Un-install and re-install Horizon Agent 7.2 on RDS Master Image
  •  

After performing the above two steps the issue completely changed from getting 169.x.x.x APIPA address to a proper DHCP server routable address. However, we are getting a different error this time:

Windows could not finish configuring the system after a generalized sysprep”.

windows error-sysprep

Final Solution

Within the master image we were using the MacAfee VSE Agent Patch 7 as the antivirus protection. This particular version was causing the issue with the sysprep to fail during customization.

After following the below MacAfee KB and installing VSE Patch 9 the error was resolved and customizing of the RDS VM as per the Custom Specification Manager was successful.

Reference Link:
Windows could not finish configuring the system (Sysprep fails when VirusScan Enterprise Patch 7/8 is included in a Windows installation image)

I hope this solution will save time to get the Horizon 7.2 RDSH Farm created quickly.

Thanks,
Aresh

Error 1303 The installer has insufficient privileges to access this directory – Upgrade from App Volumes 2.12 to 2.12.1

With the latest version of App Volumes 2.12.1, you don’t have to uninstall the older version of App Volumes Manager. The latest App Volumes Manager 2.12.1 installer takes care of uninstalling, fresh-install and retain all the configuration details and settings automatically for you.

During the upgrade I encountered the following error:

“Error 1303. The installer has insufficient privileges to access this directory: C:\Program Files(x86)\CloudVolumes\Manager\log. The installation cannot continue. Log on as an administrator or contact your system administrator.”

App Volumes Upgrade Error

Resolution:
In our scenario we have VMware vRealize Log Insight Agent installed on the App Volumes Manager VM’s which is doing Syslog. The Log Insight agent captures the logs(production.log) inside the folder “C:\Program Files(x86)\CloudVolumes\Manager\log”. As the service is in the running state, it didn't allow the folder to delete and left a ghost folder on the filesystem.

Log Insight Agent Service

After going into the services.msc and stopping the VMware vRealize Log Insight Agent service and click Retry, the setup manages to complete the upgrade successfully.

I hope this workaround helps you during your upgrade if you encounter a similar error message.

Thanks,
Aresh

EUC Session for VMworld 2017

Folks, I have submitted a session for the VMworld 2017. If you would like to see them go on stage then please vote!

My Session:
The secret sauce behind VMware’s internal Horizon desktop deployments [1255]
Ever asked yourself “How does VMware architect their own global Horizon desktop environment?”, “Have they encountered the same obstacles we are facing?” Over the past two years VMware has been re-architecting and re-deploying their virtual desktop infrastructure with Horizon, App Volumes and User Environment Manager (UEM) running on top of the full VMware SDDC stack (vSphere, VSAN, NSX) and integrating with vRealize Operations Manager and Log Insight. In this session the lead architects will reveal all.

Direct Link to my session VOTE HERE: https://my.vmworld.com/scripts/catalog/uscatalog.jsp?search=1255

How to Vote?
Create a new account if you don’t have a existing one -
https://www.vmworld.com/myvmworld.jspa and click on “Create Account”

VMworld 2017 Catalogue
Search in VMworld 2017 Catalogue -
https://my.vmworld.com/scripts/catalog/uscatalog.jsp. Search here for other interesting sessions.

I highly recommend voting on other great sessions submitted by my colleagues.

Please Vote!
Aresh Sarkari

Enabling Verbose Mode for ADMX Logging (NoAD Mode) – VMware UEM 9.1

If you using VMware UEM for applying ADMX-based Setting and want detailed verbose logs on ADMX then then you will have to add an additional advanced settings in the NoAD.xml file.

Background: We were applying an ADMX setting (Desktop Background Wallpaper) and it wasn’t applying on the virtual desktop. The informational logging was not sufficient in deriving the root cause of the issue. Why the AMDX setting was getting skipped? After enabling the verbose logging it started logging additional information that was helpful in arriving to a conclusion.

Solution (NoAD.xml)
Located under \\FileShare\General\FlexRepository\NoAD subfolder.

Setting

XML Attribute

Comments

Enable verbose logging for ADMX-based settings, application blocking, and Horizon policies AdmxLogging="1"

Set to 1 to configure

Screenshot of the NoAD.xml file:

ADMX Logging

After enabling the setting you will see an additional file called FlexEngine-ADMX.log in the logs folder which will capture all the verbose logging.

Reference KB Article:
Configuring advanced UEM settings in NoAD mode – 2148324

Thanks,
Aresh

How to collect logs from Horizon View 6.x/7.x Instant Clones – Desktop VM’s

If you have desktops deployed via Horizon View 6.x/7.x Instant Clones technology it can get very difficult to collect the Horizon View Agent logs from the desktop VM for troubleshooting/analysis purposes. The moment the end-user logs-off from the desktop it gets into the Status = Disconnected –> Deleting.

vCenter Task for log-in and log-off of the desktopvCenter Task Log-in/Log-Off

vCenter Task for Deleting –> Customizing –> AvailablevCenter Task Delete - Customizing - Available

The above operations happen very quickly. Suppose in our scenario the desktop was failing on the Status=Customizing (View Administrator). The desktops status would change into the Error state and after couple of seconds get into delete will remain in a loop until the desktop becomes available. This is by design as the Instant Clone is trying to re-create the desktop There was no way to capture the logs for analysis or troubleshooting.

Resolution:Now you can disable the recovery of the Instant Clone desktop VM if they are in the Status=Error (Strictly for troubleshooting purposes). This setting can be enabled at Desktop Pool Level

Desktop Pool Setting (disable autorecovery):

  • Open the Horizon View ADAM – (DC=vdi,dc=vmware,dc=int)
  • Go to OU=Server Groups – on you right select OU=DesktopPoolName (this is the name of your desktop pool)
  • Search for pae-RecoveryDisabled and click Edit
  • Enter Value =1 and click Add – OK
  • ADAM

Now whenever your desktop within the Pool will be in Status=Error it will not delete the VM and keep it in the Error state for you to capture the logs and perform troubleshooting. Please revert the changes of this settings once you have finished analysis. I hope these steps would be helpful leave a comment down below

Additional KB:
Connecting to the View ADAM Database (2012377)

Thanks,
Aresh

Error accessing iOS devices - VMware Horizon View 7.x and F5 BIG IP APM 12.x

If you have recently upgraded to Horizon 7.x and use BIG IP APM version 12.1 you may realize that your Apple iPad and iOS devices don't work. The following error message on the Horizon View Client is noticed. (Screenshot from iPad)

iPad Error

Error: The Horizon server connection failed. Error the connection timed out.

Resolution:
In our scenario all the other devices such as Android, Windows etc. was working fine. To fix this problem we had to create a new F5 iRule(Name it F5-APM-iOS-fix):

when HTTP_REQUEST {
    if { [HTTP::header "Origin"] ne "" } {
        HTTP::header remove "Origin"
    }
}
Note: Make sure you apply this iRule on the existing Horizon View iApp or/else it will not allow you to apply the iRule, may get a error message.

Reference KB Article:
K84958121:
Accessing VMware Horizon 7 through the BIG-IP APM system

Thanks,
Aresh

Export Writable Volumes from vSAN Datastore

In certain scenarios such as uploading the Writable Volumes *.vmdk to VMware support team to analyze issues due to Writable Volumes or you simply want to export the WV from one vSAN datastore to another vCenter or vSAN Datastore
Following is the step by step procedure to export Writable Volumes from vsanDatastore for troubleshooting purposes:

Source vCenter or vSAN Datastore:

  • Create a dummy VM (No need to power on the VM)
  • Add a HDD to the dummy VM – Use existing disk option – Locate the Writable Volumes under -  /vmfs/volumes/vsandatastore/cloudvolumes/writables) and click OK
  • Now you can export the dummy VM as a OVA or OVF to another vCenter or vSAN datastore
  • Save the OVA to a File Share or GSS FPT for further troubleshooting

Target vCenter or vSAN Datastore

  • Import the OVA into the target vCenter
  • SSH to a host in the cluster from which the Writable Volumes (WV vmdk) needs to be copied to the correct path cd /vmfs/volumes/vsandatastore/cloudvolumes/writables
  • Copy the files *.vmdk from dummy VM Folder to the writable folder
    • cp /vmfs/volumes/DummyVM/AV-WV/domainname!5C.aresh.vmdk /vmfs/volumes/vsandatastore/cloudvolumes/writable
  • Go to App Volumes Manager – Writable Volumes – Import Writable Volumes
  • Now you should see the writable for that user
Following are the step the engineer needs to perform for further troubleshooting it can be GSS, R&D or L3.
  • Import the template into the environment
  • Click on convert to virtual machine
  • On any existing Windows 7 VM without AV Agent (make sure not AV agent is installed). One needs to have a Windows 7 VM pre-build
  • Add HDD and select the existing disk option. Search for the vmdk in the folder previously imported
  • Assign the volume a driver letter and you can browse the contents of the WV
  • Troubleshoot further!

I hope this post will save you a lot of time when exporting WV from VSAN Datastore

Thanks,
Aresh

Missing default Windows ADMX Templates after importing VMware UEM ADMX files

In VMware User Environment Manager 9.0 (UEM) after you have copied over the VMware UEM Manager GPO’s (.ADMX and .ADML) to the central store for group policy administrative policy templates on a domain controller you cannot view the default Windows ADMX templates such System, Network, Control Panel etc.

Issue
After copying the UEM GPO templates to  \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions. You cannot see “System” under the Computer Configuration – Policies – Administrative Templates.

What is a Central Store on Domain Controller?
It’s a location to centrally store the .ADMX and .ADML files in a domain environment. The path is as follows:

.ADMX - \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions
.ADML - \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions\en-US

MS Reference KB - https://support.microsoft.com/en-in/kb/3087759

Where is the default group policy administrative templates stored?
When central store is not enable the .ADMX and .ADML is stored at the default location on a domain controller. The path is as follows:

.ADMX - C:\Windows\PolicyDefinitions
.ADML - C:\Windows\PolicyDefinitions\en-US

Solution
If you cannot see the Windows default templates post enabling the central store you will have to copy all the ADMX and ADML manually from the Windows default location to Central Store on a domain controller

Copy all the .ADMX/.ADML files from Default to Central Store:

Particulars

Source

Destination

.ADMX C:\Windows\PolicyDefinitions \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions
.ADML C:\Windows\PolicyDefinitions\en-US \\FQDN\SYSVOL\FQDN\policies\PolicyDefinitions\en-US

I hope the above steps will help you to get your default Windows ADMX templates back and help you complete the remaining VMware UEM 9.0 server configuration.

Thanks,
Aresh

Solving Microsoft Outlook (.OST) issues by combing VMware UEM and App Volumes

The long outstanding challenge of Microsoft Outlook *.ost files within Windows 7/8/10 floating desktops. Using VMware User Environment Management (UEM) and App Volumes together can overcome this challenge. Microsoft never supported or recommended keeping .ost files on File Shares and with O365 into equation the .ost file could be enormous sizes and would be unable to provide optimal end-user experience like you would be running from your PC devices.

App Volumes

  • Writable Volumes with the User Installed Applications template will be used to store the Outlook .ost and profile configuration details (.xml)
  • The .ost is stored within the writable volumes. Hence there is no performance impact like storing it on remote file shares
  • Depending upon the mailbox sizes you can create larger custom Writable Volumes - UIA template (The default template in AV is 10 GB). Like in O365 scenarios its normal to have 25GB mailbox size. Customer can create larger WV depending upon the requirements

UEM

  • Use the ADMX based setting for the Microsoft Office 2013/2016 cache settings. Policy – Default location for OST files
  • The most import step here is to point the .ost location to “C:\Snapvolumestemp\writable\Outlook”. Note this path is not virtualized, there is no over ahead of the filter driver

Using this technique, we can now quickly re-direct the .ost files to writable volumes and continue offering floating desktops to our end-users

There is also a VMware UEM video which demonstrates this steps in more details here - https://www.youtube.com/watch?v=bzy4X5xbURY (Thanks to Pim Vandeis from the UEM team)

Thanks,
Aresh

My Blog List