Monday, October 7, 2013

What is Active Directory? What does it do and how does it work?

I find myself explaining some of what I assume is common knowledge about it almost daily. This question will, hopefully, serve as a canonical question and answer for most basic Active Directory questions.




What is Active Directory?

Active Directory is Microsoft's Directory Server. It provides authentication and authorization mechanisms as well as a framework within which other related services can be deployed (AD Certificate Services, AD Federated Services, etc). It is an LDAP compliant database that contains objects. The most commonly used objects are users, computers, and groups. These objects can be organized into organizational units (OUs) by any number of logical or business needs. Group Policy Objects (GPOs) can then be linked to OUs to centralize the settings for various users or computers across an organization.

What is a domain and what is a forest?

A forest is a security boundary. Objects in separate forests are not able to interact with each other, unless the administrators of each separate forest create a trust between them. For example, an Enterprise Administrator account for domain1.com, which is normally the most privileged account of a forest, will have, no permissions at all in a second forest named domain2.com, even if those forests exist within the same LAN, unless there is a trust in place.
If you have multiple disjoint business units or have the need for separate security boundaries, you need multiple forests.
A domain is a management boundary. Domains are part of a forest. The first domain in a forest is known as the forest root domain. In many small and medium organizations (and even some large ones), you will only find a single domain in a single forest. The forest root domain defines the default namespace for the forest. For example, if the first domain in a new forest is named domain1.com, then that is the forest root domain. If you have a business need for a child domain, for example - a branch office in Chicago, you might name the child domain chi. The FQDN of the child domain would be chi.domain1.com. You can see that the child domain's name was prepended forest root domain's name. This is typically how it works. You can have disjoint namespaces in the same forest, but that's a whole separate can of worms for a different time.
In most cases, you'll want to try and do everything possible to have a single AD domain. It simplifies management, and modern versions of AD make it very easy to delegate control based on OU, which lessens the need for child domains.

I can name my domain whatever I want, right?

Not really. dcpromo.exe, the tool that handles the promotion of a server to a DC isn't idiot-proof. It does let you make bad decisions with your naming, so pay attention to this section if you are unsure. (Edit: dcpromo is deprecated in Server 2012. Use the Install-ADDSForest PowerShell cmdlet or install AD DS from Server Manager.)
First of all, don't use made up TLDs like .local, .lan, .corp, or any of that other crap. Those TLDs are not reserved. ICANN is selling TLDs now, so your mycompany.corp that you're using today could actually belong to someone tomorrow. If you own mycompany.com, then the smart thing to do is use something like internal.mycompany.com or ad.mycompany.com for your internal AD name. If you use mycompany.com as an externally resolvable website, you should avoid using that as your internal AD name as well, since you'll end up with a split-brain DNS.

Domain Controllers and Global Catalogs

A server that responds to authentication or authorization requests is a Domain Controller (DC). In most cases, a Domain Controller will hold a copy of the Global Catalog. A Global Catalog (GC) is a partial set of objects in all domains in a forest. It is directly searchable, which means that cross-domain queries can usually be performed on a GC without needing a referral to a DC in the target domain. If a DC is queried on port 3268 (3269 if using SSL), then the GC is being queried. If port 389 (636 if using SSL) is queried, then a standard LDAP query is being used and objects existing in other domains may require a referral.
When a user tries to log in to a computer that is joined to AD using their AD credentials, the salted and hashed username and password combination are sent to the DC for both the user account and the computer account that are logging in. Yes, the computer logs in too. This is important, because if something happens to the computer account in AD, like someone resets the account or deletes it, you may get an error that say that a trust relationship doesn't exist between the computer and the domain. Even though your network credentials are fine, the computer is no longer trusted to log into the domain.

Domain Controller Availability Concerns

I hear "I have a Primary Domain Controller (PDC) and want to install a Backup Domain Controller (BDC)" much more frequently that I would like to believe. The concept of PDCs and BDCs died with Windows NT4. The last bastion for PDCs was in a Windows 2000 transitional mixed mode AD when you still had NT4 DCs around. Basically, unless you're supporting a 15+ year old install that has never been upgraded, you really don't have a PDC or a BDC, you just have two domain controllers.
Multiple DCs are capable of answering authentication requests from different users and computers simultaneously. If one fails, then the others will continue to offer authentication services without having to make one "primary" like you would have had to do in the NT4 days. It is best practice to have at least two DCs per domain. These DCs should both hold a copy of the GC and should both be DNS servers that hold a copy of the Active Directory Integrated DNS zones for your domain as well.

FSMO Roles

"So, if there are no PDCs, why is there a PDC role that only a single DC can have?"
I hear this a lot. There is a PDC Emulator role. It's different than being a PDC. In fact, there are 5 Flexible Single Master Operations roles (FSMO). These are also called Operations Master roles as well. The two terms are interchangeable. What are they and what do they do? Good question! The 5 roles and their function are:
Domain Naming Master - There is only one Domain Naming Master per forest. The Domain Naming Master makes sure that when a new domain is added to a forest that it is unique. If the server holding this role is offline, you won't be able to make changes to the AD namespace, which includes things like adding new child domains.
Schema Master - There is only one Schema Operations Master in a forest. It is responsible for updating the Active Directory Schema. Tasks that require this, such as preparing AD for a new version of Windows Server functioning as a DC or the installation of Exchange, require Schema modifications. These modifications must be done from the Schema Master.
Infrastructure Master - There is one Infrastructure Master per domain. If you only have a single domain in your forest, you don't really need to worry about it. If you have multiple forests, then you should make sure that this role is not held by a server that is also a GC holder unless every DC in the forest is a GC. The infrastructure master is responsible for making sure that cross-domain references are handled properly. If a user in one domain is added to a group in another domain, the infrastructure master for the domains in question make sure that it is handled properly. This role will not function correctly if it is on a global catalog.
RID Master - The Relative ID Master (RID Master) is responsible for issuing RID pools to DCs. There is one RID master per domain. Any object in an AD domain has a unique Security Identifier (SID). This is made up of a combination of the domain identifier and a relative identifier. Every object in a given domain has the same domain identifier, so the relative identifier is what makes objects unique. Each DC has a pool of relative IDs to use, so when that DC creates a new object, it appends a RID that it hasn't used yet. Since DCs are issued non-overlapping pools, each RID should remain unique for the duration of the life of the domain. When a DC gets to ~100 RIDs left in its pool, it requests a new pool from the RID master. If the RID master is offline for an extended period of time, object creation may fail.
PDC Emulator - Finally, we get to the most widely misunderstood role of them all, the PDC Emulator role. There is one PDC Emulator per domain. If there is a failed authentication attempt, it is forwarded to the PDC Emulator. The PDC Emulator functions as the "tie-breaker" if a password was updated on one DC and hasn't yet replicated to the others. The PDC Emulator is also the server that controls time sync across the domain. All other DCs sync their time from the PDC Emulator. All clients sync their time from the DC that they logged in to. It's important that everything remain within 5 minutes of each other, otherwise Kerberos breaks and when that happens, everyone cries.
The important thing to remember is that the servers that these roles run on is not set in stone. It's usually trivial to move these roles around, so while some DCs do slightly more than others, if they go down for short periods of time, everything will usually function normally. If they're down for a long time, it's easy to transparently transfer the roles. It's much nicer than the NT4 PDC/BDC days, so please stop calling your DCs by those old names. :)

So, um...how do the DCs share information if they can function independently of each other?

Replication, of course. By default, DCs belonging to the same domain in the same site will replicate their data to each other at 15 second intervals. This makes sure that everything is relatively up to date.
There are some "urgent" events that trigger immediate replication. These events are: An account is locked out for too many failed logins, a change is made to the domain password or lockout policies, the LSA secret is changed, the password is changed on a DC's computer account, or the RID Master role is transferred to a new DC. Any of these events will trigger an immediate replication event.
Password changes fall somewhere between urgent and non-urgent and are handled uniquely. If a user's password is changed on DC01 and a user tries to log into a computer that is authenticating against DC02 before replication occurs, you'd expect this to fail, right? Fortunately that doesn't happen. Assume that there is also a third DC here called DC03 that holds the PDC Emulator role. When DC01 is updated with the user's new password, that change is immediately replicated to DC03 also. When thee authentication attempt on DC02 fails, DC02 then forwards that authentication attempt to DC03, which verifies that it is, indeed, good, and the logon is allowed.

Let's talk about DNS

DNS is critical to a properly functioning AD. The official Microsoft party line is that any DNS server can be used if it is set up properly. If you try and use BIND to host your AD zones, you're high. Seriously. Stick with using AD Integrated DNS zones and use conditional or global forwarders for other zones if you must. Your clients should all be configured to use your AD DNS servers, so it's important to have redundancy here. If you have two DCs, have them both run DNS and configure your clients to use both of them for name resolution.
Also, you're going to want to make sure that if you have more than one DC, that they don't list themselves first for DNS resolution. This can lead to a situation where they are on a "replication island" where they are disconnected from the rest of the AD replication topology and cannot recover. If you have two servers DC01 - 10.1.1.1 and DC02 - 10.1.1.2, then their DNS server list should be configured like this:
Server: DC01 (10.1.1.1)
Primary DNS - 10.1.1.2
Secondary DNS - 127.0.0.1
Server: DC02 (10.1.1.2)
Primary DNS - 10.1.1.1
Secondary DNS - 127.0.0.1

OK, this seems complicated. Why do I want to use AD at all?

Because once you know what you're doing, you life becomes infinitely better. AD allows for the centralization of user and computer management, as well as the centralization of resource access and usage. Imagine a situation where you have 50 users in an office. If you wanted each user to have their own login to each computer, you'd have to configure 50 local user accounts on each PC. With AD, you only have to made the user account once and it can log into any PC on the domain by default. If you wanted to harden security, you'd have to do it 50 times. Sort of a nightmare, right? Also imagine that you have a file share that you only want half of those people to get to. If you're not using AD, you'd either need to replicate their username and passwords by hand on the server to give seemless access, or you'd have to make a shared account and give each user the username and password. One way means that you know (and have to constantly update) users' passwords. The other way means that you have no audit trail. Not good, right?
You also get the ability to use Group Policy when you have AD set up. Group Policy is a set of objects that are linked to OUs that define settings for users and/or computers in those OUs. For example, if you want to make it so that "Shutdown" isn't on the start menu for 500 lab PCs, you can do that in one setting in Group Policy. Instead of spending hours or days configuring the proper registry entries by hand, you create a Group Policy Object once, link it to the correct OU or OUs, and never have to think about it again. There are hundreds of GPOs that can be configured, and the flexibility of Group Policy is one of the major reasons that Microsoft is so dominant in the enterprise market.


Sunday, August 25, 2013

Citrix Xenapp Logon Process Through Web Interface

This can be sort of confusing when logging in through a web interface that is configured to “Authenticate at the Web Interface”. First of all, that’s not what that setting means — When it’s clicked, it actually means that you’ll be authenticated at the XML broker. Whether you are troubleshooting slow logins, or just trying to configure the optimal architecture for faster logins — Knowing the Citrix logon process can be helpful. Here is the process flow as we see it, and how it works:

1). Enter credentials at the Web Interface
2). Web interface reaches out to the XML broker, and passes the credentials
3). XML broker reaches out to AD Domain Controller, and authenticated credentials.
4). After being authenticated, user can request an ICA file for application launch
5). The best server will be selected based on load evaluators
6). Best server will respond back to the web interface with ICA file
7). ICA file is passed from Web Interface to client machine
8). Client machine is connected over ICA to given Xenapp server
9). Xenapp server confirms the RDS/TS License is in order
10). AD is queried for roaming profile information
11). Roaming profile is downloaded to the Xenapp server
12). Xenapp server checks with Citrix license server to make sure licensing is in order
13). Microsoft GPO’s get applied
14). Citrix policies get applied
15). User’s “Startup” folder gets executed, launching logon scripts, etc
13). Application / Desktop launches.

Friday, August 23, 2013

Ten printing rules with Citrix XenApp

The Ten Printing Rules
  1. Since Presentation Server 4.0 (CPS 4.0) use the Citrix Universal Printer Driver based on EMF for client printers, especially with Windows Clients.
    User Policy\ICA\Printing\Universal Printing = Use universal printing only
  2. Client network printer (network printer connected to the client) should also be mapped by EMF and the print output should go through the client in indirect mode.
    User Policy\ICA\Client Printers\Direct connections to print server = Disabled
  3. Print server should always be located in the same network as the XenApp server, especially when the printers are in a WAN location, branch office. This is when not going through the ICA connection (see point 2) 
  4. Once Citrix has released the Universal Print Server (UPS), which is expected by the end of 2011, only use the UPS to connect to printers located on the print server.
  5. Set Microsoft group policies to disallow Point-To-Print (P2P), to use print isolation, disallow kernel-mode drivers and render jobs on the print server.
    Computer Configuration\Policies\Administrative Templates\Printers
    • Always render print jobs on the server
    • Execute print drivers in isolated processes
    • Point to Print Restrictions (set to localhost)
    • Disallow installation of printers using kernel-mode drivers

      See also
    • How to Restrict Print Drivers From Being Installed on XenApp Servers Hosted on Windows Server 2008/R2http://support.citrix.com/article/CTX128786
    • How to Restrict Print Drivers from Being Installed on XenApp Servershttp://support.citrix.com/article/CTX120618
  6. Set Citrix user policies to avoid unwanted in-box printer driver.
    User Policy\ICA\Printing\Automatic installation of in-box printer drivers = Disabled

    ----- if you cannot use Citrix universal print driver ----
  7. Always use Microsoft native printer driver first, that come with the operating system.
  8. When you use 3rd party printer driver (HP, Lexmark, Xerox etc.), test them first with StressPrinters and make sure the spooler doesn't crash.
  9. Do not use 3rd party printer driver with print monitors, try to get drivers without monitors or disable/remove them.
  10. Out of experience, avoid PCL6 printer driver if you have to use 3rd party printer driver.


Q&A

Q: When using 3rd party printer driver what can happen?A: If you are lucky nothing but you might see: print spooler crash, delayed logons, stuck logons or the worst blue screen of death (BSOD) - server crash.


Q: Why only use the Citrix EMF universal printer driver?
A: With Windows Clients, EMF actually uses the local client printer driver with all capabilities.



Q: What about non-Windows (MAC, Linux...) clients?
A: Non-Windows clients cannot use EMF and automatically fall back to a Universal Printer Driver (UPD) based on a color laser printer but will not give all capabilities the client printer driver might have.



Q: Why not use HP Universal Printer Driver?
A: The HP UPD should only be used for network printer mapped to the XenApp Server and only until UPS is released. With HP UPD make sure you use at least version 5.x and printer isolation, since the driver has been buggy in the past

Q: What is printer isolation good for?
A: As it says, it isolates the printer driver and therefore protects the spooler to crash. So if the driver is buggy, the isolation might fail but the driver will not crash the spooler service.



Q: Why disable Point-To-Print (P2P)?
A: P2P automatically installs printer driver without you really knowing it. That can be very dangerous because you might spread a bad driver to all servers in your farm.



Q: Why should a print server be close to a XenApp server and not located in a branch office over WAN?
A: Especially with Office 2010, printers are "live" enumerated and over a WAN might take a long time. Also the XenApp server would do a RPC call over the WAN to the print server and is very slow and sluggish.



Q: Why avoid PCL6 printer drivers?
A: There is no technical reason but experience from the field has shown the PCL6 driver to cause several issues.

Q: What is the Citrix Universal Print Server (UPS)?
A: It's an upcomming printing component, hopefully released by the end of 2011. In short, UPS has two parts the print server service (you install on the print server) and a client service (UPC) that will be installed on a XenApp server. Now network printer between print server and XenApp will be mapped also with the Citrix EMF and therefore no printer driver on the XenApp server needs to be installed! UPS is high secure, optimized and allows even firewall transversal. UPS uses the Citrix common gateway protocoll (CGP) and the UPC will be incl. in future XenApp releases.

Troubleshooting Citrix ICA Printer Autocreation

Summary
This document describes steps for troubleshooting printer autocreation issues with locally defined, physically attached, or network printers.
While some of the ideas in this document apply to imported network printers, troubleshooting that issue can be significantly different than the autocreation of locally defined workstation printers. Refer to CTX881017 - Troubleshooting Imported Network Print Servers with XenApp.
For Universal Print Driver (UPD) troubleshooting information, refer to the following documents:
• CTX089874 – Troubleshooting and Explaining the Citrix Universal Print Driver
• CTX105158 – Troubleshooting Citrix ICA Printing - Quick Reference Guide
• CTX107137 – Troubleshooting Printing Problems In Presentation Server 4.0.
Procedure
To troubleshoot printer autocreation, follow these steps:
1. In Citrix Connection Configuration, double-click the ICA listener port, select the Client Settings button, and ensure Connect client printers at logon is selected. For Presentation Server 4.5 and later, configure these settings using the Terminal Services Configuration tool.
2. Ensure that the following check boxes are not selected under the Client Settings area:
    • Disable Windows Client Printer Mapping
    • Disable Client LPT Mapping
Both of these settings prevent client printers from being autocreated on the system, and prohibit the client printer from being manually added during the session.
CTX104693 – "Client Printer mapping" and "Client LPT Port mapping" are Grayed Out in ica-tcp Listener
3. If Inherent User Config is selected in step 1, ensure that connect client printers at logon is selected in the UserConfig button for each user account within User Manager for Domains or the Environment tab within Active Directory Users and Computers/Computer Management-Local Users and Groups (for Active Directory 2000, 2003).
In Active Directory 2008, open the Server Manager utility and expand the Configuration node. From there you can manage your users and groups.
4. From the client machine:
a. Make a custom ICA connection directly to the server desktop and log on.
b. Open the printer folder inside the ICA session.
c. Add Printer > Network printer and expand Client network.
d. Select Client printer and try to Add.
e. The result may indicate:
5. Current Microsoft RDP clients allow for the creation of printers. While the RDP does not use the Citrix Client Network Service, as a test, log on with the RDP client. This might help in determining if there is an underlying operating system or permission issue.
6. Ensure the latest compatible driver for its operating system is installed on the client computer. On the Citrix server, install the latest compatible driver for the base operating system (Windows 2000 Server, Windows Server 2003, or Windows Server 2008). This is accomplished by installing a "phantom" printer on the server console. After the printer has been created it can be deleted from the print manager. The driver itself and registry references to the driver remain. You must verify what drivers have been installed on the server in step 7 below. In Windows 2000 Server, Windows Server 2003, and Windows Server 2008, right-click in the white space in the Printers folder, go to Server Properties, and select the Drivers tab.
A printer driver that is compatible with Windows 2000/2003/2008 is not necessarily compatible with the corresponding version of Terminal Server. Installing incompatible drivers might cause crashes (for example, see Microsoft TechNet articles Q191666 and Q249917 with respect to Lexmark drivers), spooler CPU spikes, hangs, print jobs failing to print, and autocreated printers might fail to delete upon log off (one possible cause of this is the lack of an Autocreated Printer definition inside the printer properties comment field).
Issues of this type should follow the recommendation in TechNet article Q135406 to remove the suspect driver from the system and to use the management console (which is known as the Advanced Configuration utility in XenApp and the Presentation Server Console in Presentation Server) to configure exclusions, manual print driver mappings, or to exclusively use the UPD. Syntax, spacing, and capitalization between the quotes within the manual mapping process are critical. A substituted print driver might limit the available printer functionality inside an ICA session with respect to the non-native driver.

Monday, July 29, 2013

The Independent Management Architecture (IMA) service fails to start

Symptoms
The Independent Management Architecture (IMA) service fails to start.
Cause
The following could be some reasons, in addition to others, for the IMA Service to fail to start:


  • IMA Service load time


  • IMA Service subsystem


  • Missing Temp directory


  • Print spooler service


  • ODBC configuration


  • Roaming Profile


  • Another server with an identical NetBIOS name on the same network
IMA Service Load Time
If the Service Control Manager reports that the IMA Service could not be started, but the service eventually starts, ignore the error message.
The Service Control Manager has a timeout of six minutes. The IMA Service can take longer than six minutes to start if the load on the database exceeds the capabilities of the database hardware or if the network has high-latency. If you feel that the service is merely hung (stuck in a “starting” state) you can terminate the ImaSrv.exe process in Task Manager and restart the Citrix Independent Management Architecture service as a test.
IMA Service Subsystem
Examine the following Windows Registry setting:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\CurrentlyLoadingPlugin
If there is no value specified in the CurrentlyLoadingPlugin portion of the above Windows Registry entry, then either the IMA Service could not connect to the data store or the local host cache is missing or corrupt.
If a CurrentlyLoadingPlugin value is specified, the IMA Service made a connection to the data store and the value displayed is the name of the IMA Service subsystem that failed to load.
Missing Temp Directory
If administrators see an “IMA Service Failed” error message with an error code of 2147483649 when starting the server, the local system account might be missing a Temp directory which is required for the IMA Service to run.
To gain further insight into the situation, change the IMA Service startup account to the local administrator and restart the server. If the IMA Service is successful in starting under the local administrator’s account, then it is likely that a missing Temp directory for the local system account is causing the situation.
If the Temp directory is not present, then manually create one as <roor directory>\Temp. For example:
C:\Winnt\Temp
Also, verify that the TMP and TEMP system environment variables point to the temporary directory. Restart the server to restart the IMA Service.
Print Spooler Service
When the server attempts to start the IMA Service, the “Setup Could Not Start The IMA Service” error message appears. This error shows that the IMA Service is not starting, possibly because the print spooler service is not running or was configured incorrectly. In addition, the following error messages appear in the Event Viewer:


  • Failed to load plugin MfPrintSs.dll with error 80000001h


  • Failed to load initial plugins with error 80000001h


  • The Independent Management Architecture service terminated with service-specific error
The error occurs because the print spooler service:


  • Has stopped


  • Is disabled


  • Is not configured to run under the Local System Account
To correct this error, verify that the print spooler service was started in the context of system rather than in the context of a user. A print spooler service that is not running or has been configured incorrectly might cause the printing subsystem to fail to load.
To resolve the situation, stop and start the print spooler service, making sure that it is configured to run under the Local System Account. Then, try to start the IMA Service.
ODBC Configuration


  1. Verify that the Microsoft SQL Server or Oracle server is online.


  2. Verify the name of the DSN file that the IMA Service is using by looking at the following key in the Windows Registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\DataSourceName.


  3. Attempt to connect to the database using the DSN file with an ODBC test utility such as Oracle ODBC Test or SQL Server ODBC Test.


  4. Verify that the correct user name and password are being used for database connectivity.


  5. Change the user name and password using the DSMAINT CONFIG command, if needed using dsmaint config /user:username /pwd:password /dsn:dsnfilename


  6. Enable ODBC Tracing for further troubleshooting.
Roaming Profile
When the server attempts to start the IMA Service, the “Setup Could Not Start The IMA Service” error message appears. In the event viewer you might see the following error: IMA_RESULT_INVALID_MESSAGE or other events related to the IMA Service not being able to start.
Verify the size of the roaming profile, especially if it is crossing a WAN. Also watch for error messages related to not being able to load the profile. Test with a local user profile or one that is smaller in size.
Another server with an identical NetBIOS name on the same network
Verify that there is not another server on the network with the same NetBIOS name on the network. If the CurrentlyLoadingPlugin has the ImaLicSs.dll listed, this might be an indication of this condition. Another symptom of ImaLicSs.dll
“106. The IMA Service failed to start because of license group corruption in the data store.
Note: This fix prevents corruption in the data store but it does not correct any corruption that may already exist. You need to check for corruptions present in the data store and correct them using the appropriate tools.