VMware Horizon View

Horizon View 6.2.2 Gotchas

Hey guys!

A customer and I upgraded their 1500+ seat production VDI+RDSH deployment from VMware Horizon View 6.0 to the latest 6.2.2 this week, and encountered a few issues that are not particularly talked about. This will be more of a brief than my typical post due to time constraints, but I will likely go back to add color as soon as possible.

  1. The first revelation isn’t directed toward VMware at all – This was a facility that utilizes Dragon for dictation, and their support for the PowerMic II’s is dismal. When we upgraded the Horizon View Agent on a user linked-clone pool that was configured for Dragon, the microphone was no longer detected. After a long weekend with no response, my customer was told the issue is likely bandwidth related. That’s a heck of a leap given the circumstances and troubleshooting we recanted to them, especially with no investigation on their part.
  2. For the VMware side of the house – Holy moley was this a hard upgrade for some reason. We walked through all of the pre-reqs (Including new firewall ports) for the new version of Horizon View but felt the smite of the installer itself instead – Even when if reported a clean installation, there were issues with a partial upgrade with most components:
    1. View Composer was partially upgraded even though it claimed success.
    2. View Connection Servers claimed success but still said 6.0 in the Administrator Console. VMware told us that this is a graphical bug they’re trying to squash.
    3. View Security servers would not pair, likely due to corrupted installs with mixed data.
    4. IPSec connectivity between security and connection servers was suspect in this customer environment, even with no network firewall between them and the appropriate rules configured in the Windows Firewall. This led to an early morning call due to loss of external connectivity.
    5. In order to use VMware Blast for RDSH applications, a second installer is required. We’re waiting until all agents are updated before deploying as per VMware’s recommendation.
    6. External access through the PCoIP Secure Gateway wouldn’t work until both the View Agent and the users Horizon Client were updated to the latest version. This was unexpected and not documented in the VMware Compatibility Matrix. You can imagine the scramble to resolve that one.
    7. Teradici Tera1-based zero clients will be no longer VMware certified (or supported by Teradici) at the end of April 2016. As it is, they can not have the latest 4.8 firmware applied to them, requiring …..
    8. Enable TLS 1.0 and 1.1 if you’re hardware or software is unable to communicate securely. Or decide to remediate the actual issue (Deprecated hardware/software) instead of compromising security. This will be required end-to-end.

That’s it for now – As I said, I plan to come back and color these in as time permits.

Be careful out there!

Advertisements

Migrating VMware View vCenter to a new host

Hey everyone!

The end of support for Windows Server 2003 is coming, and a lot of organizations are scrambling to migrate their production systems before the  July 14, 2015 deadline. Many groups are still running the vCenter (5.0 or 5.1) that VMware View utilizes on Windows Server 2003, and I was recently asked about the migration path. For a vCenter/Windows OS compatibility matrix, click here.

There are two scenarios: One where the vCenter server maintains the same hostname and IP address, and one where the name and IP change. Today’s post deals with the first scenario and tomorrows will address the second.


Migrating vCenter to a new host without VMware View downtime
IMPORTANT NOTE: Proceed at your own risk. This operation is not supported by VMware. Click HERE for the KB.

  1. Export RSA Keys from old server
    1. Open an administrative command prompt and navigate to navigate to the %windir%\Microsoft.NET\Framework\v2.0xxxxx directory
    2. The ASP.NET IIS registration tool exports the RSA public-private key pair from the SviKeyContainer container to the keys.xml file and saves the file locally. Type: aspnet_regiis -px “SviKeyContainer” “c:\keys.xml” -pri. 
    3. Copy the .XML file to the new server or network storage.
  2. Document Database user names and passwords

  3. Shutdown Virtual Center Services (And Composer if co-existing) on the vCenter server being replaced

  4. Log into the View Administrator portal and disable virtual machine provisioning.

    1. Expand View Configuration
    2. Go to Servers\vCenter Servers
    3. Select the vCenter that will be migrated, and select ‘Disable Provisioning’
  5. Perform end-to-end backups of your environment (vCenter, Composer, ADAM). KB for that HERE.
  6. Shutdown old vCenter Server.
  7. In Active Directory, delete the old vCenter computer object.
  8. On the new vCenter Server, Rename the machine to the same as the old vCenter Server, Assign is the same static IP as the old vCenter, and join to the domain.
  9. Migrate RSA Keys to New VCenter Server
    1. On the destination computer, open an administrative command prompt and navigate to the %windir%\Microsoft.NET\Framework\v2.0xxxxx directory.
    2. type: aspnet_regiis -pi “SviKeyContainer” “path\keys.xml” –exp
  10. Install SQL Native Client (sqlncli.msi)
  11. Configure ODBC System DSN Connection for VCenter (Native 64-bit) and View Composer (Native 64-bit).
  12. Perform a simple installation of the vCenter Server and components (same version as what was running on old VCenter Server)
  13. If View composer is not standalone, Install View Composer. This may be a good time to split View Composer off of the vCenter server if that’s your ultimate goal.
  14. Ensure that all services started and are running.
  15. Connect to vCenter using either the vSphere client or Web Client (Depending on version). Ensure that hosts have reconnected and everything looks as you’d expect.
  16. In View Administrator, you may need to go to the Dashboard and Verify the SSL Certificates for the new VCenter.
  17. Enable Provisioning in View Administrator (should just work)
  18. Double-check any customization specs in the new VCenter Server.
  19. Test Recomposing and Provisioning of new Linked Clones.

User experience and expected behavior

It’s not exaggerating to say that this is an intense change-the-tires-while-doing-60-on-the-highway kind of operation, but in my testing of an 25 linked clone environment there was no impact. Any existing desktop connections or new connections to existing desktops should observe little or no disruption of service.

Resolve VMware View desktops in “Already Used” state

Hello!

This blog post should be a refresher, but I had to change this setting recently and thought I’d throw it out there on the blog as well.

In this situation, the client is running Horizon View 6 and predominately uses floating linked clone desktops that are set to refresh once a user logs out. For an unknown reason, this client does not prevent users from performing power operations on the View desktop that they’re connected to. This resulted in a few desktops in an “Already Used” state throughout the day as users presumably shutdown or restart their virtual desktops instead of logging off.

IT has been resolving this by manually refreshing desktops in this state. However, there’s an automated way to correct this problem if its happening to you!Enter PAED-DirtyVMPolicy. This per-pool setting (View 5.1.1 and newer) allows control over how “Already Used” desktops are treated.

There are three policy settings:

pae-DirtyVMPolicy=0. Mark virtual machines that were not cleanly logged off as ‘Already used’ and block user access to them. This is the default behavior in View 4.6 and later releases.

pae-DirtyVMPolicy=1. Allow virtual machines that were not cleanly logged off to become available without being refreshed. View Client users can access these desktops.

pae-DirtyVMPolicy=2. Automatically refresh virtual machines that were not cleanly logged off. View Client users can access these desktops after the refresh operation is completed.

Source: https://www.vmware.com/support/view51/doc/view-512-release-notes.html?ClickID=dkhs0xbx0kzhztss2ynnshxsykxz2zhozybk

To apply these a policy, RDP to a connection server and fire up ADSI Edit:

1) Connect to dc=vdi,dc=vmware,dc=int on localhost:
2

2) Expand the Server Groups OU:
3

3) Choose a pool experiencing the issue:
4

4) Right-click and select Properties on that pool:
6

5) Scroll down until you find pae-DirtyVmPolicy. Set this to a 1 or 2 to resolve.
7

6) Repeat for all affected pools.

NOTE: It would be a good idea to prevent users from performing power options on View Desktops via Group Policy and let the View Manager handle it. That group policy would change settings here: User Config>Admin Template>Start Menu and Taskbar>Remove and prevent access to the Shutdown, Restart, Sleep, and Hibernate

From the Field: Resolve ‘corrupted’ or stuck View Composer agent

Hey all, 

Yesterday I got to play with something I haven’t seen before. I hope it’s rare and that it’s never seen again, but I wrote down my resolution steps just in case. Note that there is not much (if anything) on the internet for this problem.

I tried many combinations, most of them with less chance of destruction. This is the method that worked. 

– – – – – – – – – – – – –

Issue: When trying to upgrade the View Agent on a VDI master desktop, the below symptoms are observed. 

Symptoms:
12

The Composer agent is still running, and the service is still started (Even after successful uninstallation):

34

Resolution Steps:

  1. Clone VM to have a backup
  2. Start machine
  3. Uninstall VMware (Horizon) View Agent 
  4. Reboot
  5. Attempt to install new View Agent
  6. Get messages depicted in the Symptoms section
  7. Verify that the agent was successfully removed:
    1. 5
    2. But that the Composer Agent is still running anyway:
      34
  8. Disable the composer service and reboot
  9. Open an administrative command prompt
  10. Manually remove composer service
    1. Type sc delete vmware-viewcomposer-ga
      7

  11. Remove dependencies to View Composer Agent from core windows components.

    1. Open Regedit

    2. Navigate to HKLM>System>CurrentControlSet>Services

    3. Start searching for the DependsOn string for the services listed below. Clear this key:
      8

      1. BFE

      2. Netlogon

      3. TCP/IP

  12. Exit the registry editor and reboot machine.

  13. Install the View agent as if none of this ever happened:
    9

Unidesk Layering in a VMware View deployment

Happy New Year!

Firstly, I hope everyone had a fantastic 2014 and enjoyed some time with family over the holidays. I had a very short work week, but part of that time was spent deploying Unidesk into my home lab and give this Layering thing a spin.

What is Layering?
Layering is the seperation of the PC experience into individual OS, User, and Application portions.

Conventionally, a PC is monolithic- Windows, Microsoft Word and everything the user created or downloaded is stored on the same hard disk. As time goes on and more “stuff” happens to the machine, the performance and experience degrades.

With Unidesk layering, desktops boot off of a virtual C: drive made up of independently managed layers. Desktop/IT staff creates a golden image complete with user applications, and end users are free to make any customizations they want in their user layers. Unidesk dynamically composites these layers at boot time into unified storage.

Why use a layering solution?

Ease of management: In many situations, there’s a single gold image to patch and run Windows Update on. The application layer can include bundles of applications to get most of the use cases, or individual applications for some subset of users… so a lot of flexibility here. And User data (settings, shortcuts, etc) is persistent regardless of what happens to the other layers. Unidesk also has a built-it “Undo” feature – you can revert a layer back to a prior point in time: This is awesome if you find a Windows Update causes a critical application to behave unexpectedly, or to rid a user desktop of viruses, malware or DLL conflicts.

In Conclusion

This will be the end of this blog post- I’ll kick the tires more over the weekend and come back with some findings on Monday. The Unidesk sales people that I’ve talked to are great guys, and they say that once a potential customer gets a Proof of Concept in the door it’s not long before they’re converted to full-fledged customers. I’ve spent a great deal of time looking at user environment management in 2014, and the Unidesk approach deserves some serious consideration.

A Guide to Migrating VMware 5.1 Databases from SQL Express to SQL

Hey All!

I had a somewhat messier database migration at my most recent site, and it made me do a bunch of research that would make sense to share here. Most of this information came from KBs or scattered across the Internet… so welcome to your one-stop-shop for how to migrate VMware databases, and what I had to do when things went wrong.

I had to migrate a pair of environments today. One of them was a View install that has more moving parts, so I’ll illustrate that here.

 

Getting Started / SQL Pre-Reqs

I’m not going to fill up this blog post with how to set up SQLBest practices. I assume that you know that already. I included links just in case. What I WILL include are things that are needed after SQL is set up:

  1. Open port TCP 1433 on any Firewall program running on the machine.
  2. Set ‘Maximum Server Memory‘ (SQL Memory Max) to something sane for your environment.
  3. Open SQL Configuration Manager and expand SQL Network Configuration. Make sure that TCP/IP is enabled. Disable Dynamic Ports.
  4. Good. Now create a new SQL user account– I used VMwareUser.

 

View Composer

I started with the View Composer database because it didn’t have a strong dependency on the other components- The other good reason is that VDI administrators tend to be different than your vCenter administrators and may have different availability windows.

  1. Go through each pool and disable any refit operations that occur on logoff.
    1. This is mostly a safety thing. I want to be sure that there are no desktop operations running until I say “
  2. Disable the View Composer service
  3. Create a backup of the View Composer database using a File Backup in SQL Express.
  4. Copy the database backup to network storage or a local drive on the new SQL server.
  5. Create a new shell database on the shiny SQL server. Call it something nice- this is name will only be seen by you or the DBA team.
  6. Right click the new database, go to ‘Tasks’ and select ‘Restore Database‘. Select the backup file, and on the Options tab select ‘OVERWRITE’.
  7. Make VMware User dbo of the restored Composer database.
  8. Back on the server running View Composer, edit the Composer DSN. This is a 64-Bit DSN, so Administrative Tools > Data Sources (ODBC).
  9. Modify the SVIWebConfig. Sorry :-/
  10. Start up View Composer. If it starts without error, re-enable refit operations on the pool.

 

Update Manager

Theres a strong argument to start Update Manager fresh instead of migrating old information – in my case, the customer wanted to maintain some custom baselines… so migrate away!

  1. Disable the VMware Update Manager service.
  2. Create a backup of the VIM_UMDB database using a File Backup in SQL Express.
  3. Copy the database backup to network storage or a local drive on the new SQL server.
  4. Create a new shell database on the shiny SQL server. Call it something nice- this is name will only be seen by you or the DBA team.
  5. Right click the new database, go to ‘Tasks’ and select ‘Restore Database‘. Select the backup file, and on the Options tab select ‘OVERWRITE’.
  6. Make VMware User dbo of the restored VUM database.
  7. Back on the server running Update Manager, edit the Update Manager DSN. This is a 32-Bit DSN, so c:\Windows\SysWOW64\odbcad32.exe
  8. Edit the vci-integrity.xml file to reflect the new database information. I’m really sorry about this.
  9. Reconfigure VUM using the VMware Update Manager Configuration Utility 
    1. Modify the Database settings
    2. Re-Register with vCenter.

 

vCenter Database

Here’s the big one. Make sure you have a window of time for this one to be down that extends for both vCenter and SSO – SSO shouldn’t cause an outage, but if there are any configuration issues vCenter won’t be able to start… better to be safe and have a longer outage window than required. While vCenter is offline, no administrators will be able to get in and run the environment, no power operations will occur for VDI desktops, and DRS won’t work (Among other things)

  1. Disable the VMware vCenter  service.
  2. Create a backup of the VIM_VCDB database using a File Backup in SQL Express.
  3. Copy the database backup to network storage or a local drive on the new SQL server.
  4. Create a new shell database on the shiny SQL server. Call it something nice- this is name will only be seen by you or the DBA team.
  5. Right click the new database, go to ‘Tasks’ and select ‘Restore Database‘. Select the backup file, and on the Options tab select ‘OVERWRITE’.
  6. Make VMware User dbo of the restored vCenter database.
  7. Open the Registry Editor. I’m really sorry about this too.
    1. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > VMware, Inc > VMware VirtualCenter.
      1. Ensure that HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VirtualCenter\DB\1 contains the correct DSN.
      2. Edit HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VirtualCenter\DB\1 to the SQL username ‘VMwareUser’
      3. Ensure that HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VirtualCenter\DB\4 has the right SQL driver.
      4. Edit HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VirtualCenter/DbInstanceName and clear it (Don’t delete though!)
      5. Edit HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VirtualCenter/DbServerType and change the Value to Custom.
      6. Open an Administrative Command Prompt. CD to “C:\Program Files\VMware\Infrastructure\VirtualCenter Server” and run the command vpxd.exe -p
        1. Enter password information when requested.
  8. Recreate the SQL Rollup Jobs.
  9. Open another configuration file in notepad: C:\ProgramData\VMware\VMware VirtualCenter\vcdb.properties
    1. Put a hash mark (#) to comment out everything in this file EXCEPT  usevcdb=true
      1. NOTE: The file could be modified to contain correct information, but the above method seems to work fine as well. To each their own.
  10. In the same directory, open dabase_name.properties in notepad. Verify that the Tomcat information is correct.
  11. Attempt to start the vCenter Service.

 

Single Sign On

Reinstall Single Sign On. Just kidding, although migrating this component has made many an engineer pull their hair out. I had my own issues during this migration and the vast number of suggestions I received went along the lines of “It’s better to reinstall vSphere if SSO is having any issues”. I powered through, and now you can too!

  1. Backed up the SSO configuration using the “Generate vCenter Single Sign-On backup bundle” link in the Start -> Programs menu from the SSO server.
  2. Disable the vCenter Single Sign-On  service.
  3. Create a backup of the RSA database using a File Backup in SQL Express.
  4. Copy the database backup to network storage or a local drive on the new SQL server.
  5. Create a new shell database on the shiny SQL server. Call it something nice- this is name will only be seen by you or the DBA team.
  6. Right click the new database, go to ‘Tasks’ and select ‘Restore Database‘. Select the backup file, and on the Options tab select ‘OVERWRITE’.
  7. Create new users (Or verify that the users migrated during the restore process) RSA_USER and RSA_DBA
  8. Check that the RSA_User that was migrated doesn’t have any mappings using this query against the restored database: sp_change_users_login report
  9. Create a new SQL User named RSA_USER at the SQL Server level. Give it the same password as RSA_USER had on the original SQL Express installation.  Set the default database to the newly restored SSO database.
  10. Run this query against the SSO database to re-map the RSA_USER account: sp_change_users_login ‘update_one’, ‘RSA_USER’, ‘RSA_USER’
  11. Recreate the RSA_DBA SQL user account and give it DBO over the SSO database.
  12. On the SSO Server:
    1. Navigate to the ssocli command – In my case, it was C:\Program Files\VMware\Infrastructure\SSOServer\Utils. Run the following command: ssocli configure-riat -a configure-db –database-host new_host_name
      1. Enter the SSO Master password that was used when SSO was initially set up.
    2. Go up a directory and open up the ..\SSOServer\webapps\ims\WEB-INF\classes\jindi.properties file in Notepad.
      1. Modify com.rsa.db.hostname to the hostname of the new SQL server
      2. Change the com.rsa.instanceName to the SQL Database Name here (instanceName seems inappropriate)
    3. Navigate to C:\Program Files\VMware\Infrastructure\SSOServer\webapps\lookupservice\WEB-INF\classes\config.properties
      1. Change the dburl= line to the information for the new server.
  13. Start SSO and hope for the best.

 

Cleanup

Some cleanup items at this point:

  1. Go into the registry and break the dependencies on SQL Express for vpxd.
  2. Restart all VMware services twice to ensure proper operation
  3. Make sure that the Web Client works correctly and that performance graphs load as expected
  4. Restart the server to make sure all comes back up.
  5. ???
  6. Profit!

Cant start View Composer service after migrating Composer database

Hey all!

This is another story fresh from the field- luckily one with a happy ending.

I was engaged on a fairly quick project to migrate the internal VMware and Horizon View databases from a default SQL Express instance to a new SQL server that the client built and configured. This is something that I’ve done many times in the past, and has routinely gone to plan.

It’s important to remember that every every environment is unique. This particular environment required an additional hour of time to get View Composer back up and churning out ReFit operations! As in most things, but particularly advanced IT work…. Prior results don’t guarantee a repeatable checklist!

The process we took for the database migration was as follows:

  1. Create a backup file on SQL Express.
  2. Back up the View Composer database in SQL Express.
  3. Rename the backup file and transfer to network storage/C$ drive of the new SQL server.
  4. Create a shell database in SQL on the destination machine.
  5. Restore the Composer backup OVER the new SQL database.
  6. Create a new SQL account and make it owner of Composer database.
  7. Repoint the Composer DSN on the machine running View Composer using SQL account credentials.

Seems pretty simple, and has worked many times in the past. This time as I said, things didn’t go to plan.

After the migration, going into Services and trying to restart the View Composer service gave an error. In the logs for Composer, I saw that it was trying to connect with the old DSN name and blank credentials.

I checked the DSN, and retested the connection – Correct credentials, and the test was successful as expected. Where is Composer getting this info?

Turns out, I needed to change another thing in this environment.

EDIT SVIWEBCONFIG:
I needed to follow this KB to edit the SVIWebConfig, substituting sane values for our environment:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1022526

After performing the above, Composer started and all was well with the world.

Then I had to migrate the vCenter databases and ran into another weird DSN problem… which will be the subject of another Blog post!