In my previous post which you can find here I covered the application and management of both Citrix User and Computer policies. I didn’t cover the application of any specific policies in great detail as I felt that it would be more beneficial to give you a framework around which you could apply policies suitable for your environment. I am now going to return to more specific instructions on how to leverage the Group Policy setup I have in place in order to manage Citrix User Profiles. I will begin by covering the topics with which you need to be familiar with before covering how to prepare your XenApp environment to best utilise the Citrix User Profile Manager (UPM)
If you are a beginner (toward whom I am pitching this current series of blogs) then all you need to know is that a Citrix User Profile is essentially a feature rich Windows Roaming Profile that has been created to handle the issues that arise when using Roaming Profiles across multiple XenApp application servers. If you are confused about what roaming profiles are I would recommend starting with this article http://www.windowsnetworking.com/articles-tutorials/windows-2003/Profile-Folder-Redirection-Windows-Server-2003.html and then having a read of the 1000s of articles available on the subject across the internet.
Of course while reading up about Roaming Profiles you will come across lots of references to Redirected Folders as the two typically go hand in hand. Wikipedia is always good for a quick explanation http://en.wikipedia.org/wiki/Folder_redirection as of course is Microsoft http://technet.microsoft.com/en-us/library/cc732275.aspx
I would also consider Citrix Profile Management and VDI – Doing it Right! by Dan Allen to be essential reading before you implement any profile management solution in your environment. His article is pitched at XenDesktop admins but the concepts transfer fully to a multi-server XenApp environment.
The first step is to set up a file server to act as a central repository for your profile management solution. As your XenApp application servers are Windows Server 2008 R2 I would highly recommend using a Windows 2008 R2 file server as the central share for your Citrix User Profiles. Among other things this will allow you to take advantage of SMB 2.0, I would highly recommend reading this article by Trond Eirik Haavarsteinon on SMB 2.0 tuning for a Citrix XenApp 6.x environment. While it won’t be hugely important for the test environment that is being built for this series of blogs it is something you will need to consider when implementing a XenApp environment with more than 50 users. (Less if the users in question have high I/O requirements)
I would personally recommend implementing it for every environment as a matter of good habit and best practice. The whole point of Citrix technology is to have a consistent (and good!!) user experience across multiple technology platforms. If your basics are not correct then this can have time consuming and potentially job limiting consequences when your Xenapp environment is fully subscribed and users are calling you up wondering why it’s taking 20 minutes before their application even starts.
At the risk of recreating the wheel I am now going to cover the specifics of configuring the shares you will use to store both your Citrix user profiles and Redirected Folders. As this is a demo environment I will place both folders on the D drive of my file server and domain controller 11V-XA65AD-01. Depending on the size of your production environment you would have a dedicated file server or servers(s) with the folders in question hosted on separate physical disks if at all possible. You don’t want your redirected folder I/O adversely affecting the loading or unloading of user’s roaming profiles.
The first folder I created for the Redirected Folders was called XenAppUserHome, you can call it anything you like as long as you know what the folder and share is being used for and can remember it.
Now you have created the folder you will want to change the permissions. Right click on the folder and click on properties. Under the Security tab click on Advanced.
Under the permissions tab in the next window click on Change Permissions…
You will want to prevent any higher level permissions on the drive propagating to the user folders that will eventually occupy this folder so untick Include inheritable permissions from this object’s parent. You will then be prompted with the warning below, click add.
You will then be left with all permission entries being set to <not inherited>, the next step is to highlight the Users Special permission entry and click on Edit…
In the drop down menu choose ‘This folder only’ and ensure only the two options below are ticked. Once you have confirmed then click ok
Now repeat the same for the Users Read & execute permission entry by high lighting it and clicking on Edit…
Again ensure the ‘This folder only’ option is chosen and click ok
Once you have done this for both Users permission entries you will notice that there is now only a single Users permission entry rather than two
Open the single Users permission entry and confirm that all permissions are allowed except for the four shown below.
Now that you have set the required permissions the next step is to share the folder in question. In the properties of the folder click on the Sharing tab and then click on Advanced Sharing
In this case name the share XenAppUserHome$ (the dollar sign makes the share an admin share and ensures that it can’t be seen by casual browsing), you will first need to click on Caching
In Offline Settings click on the ‘No files or programs from the shared folder are available offline’ and then click ok
The next option to click on is Permissions which will open the permissions window as below, ensure that the Everyone group has all permission options ticked
Once the above has been created you will be able to see the share on the Server Manager console under Share and Storage Manager (on the left pane)
Right click on the share you are working on and click properties
You can give the share an appropriate description if you choose under the description field, then click on Advanced
Ensure the User limit is set to the Maximum allowed and the Enable access-based enumeration has been ticked, then click ok
Once you have done this the next step is to repeat the process above for a second folder called XenAppProfiles (or a similar easy to identify name). Once you are done you should have two shares. Once called XenAppUserHome$ (for your Redirected Folders) and a second called XenAppProfiles$ (for your Roaming Profiles)
Now that you have completed the configuration of the two folders the next step is to redirect your user folders. As you should have learned from the recommended articles above (along with your own independent research) Folder Redirection reduces the size and number of folders that need to be copied at logon and logoff time. When used in conjunction with Roaming Profiles they should speed up the process considerably.
The next question is what folders do you redirect? In Citrix Profile Management and VDI – Doing it Right! Dan Allen suggests redirecting everything as this reduces the overall size of the profile to be copied at logon and logoff. I would largely agree with him except perhaps for the user AppData folder which may cause you general performance issues and application specific problems also.
In this article http://www.xenappblog.com/2012/redirect-favorites/ Trond Eirik Haavarsteinon lays out the general performance issues caused by redirecting the appdata folder and the amount of potential I/O involved. On the application specific problem I know from sad experience that CRM 2011 does not support redirection of the appdata folder (or at least it didn’t when I was working with it). This caused a large headache for my team in a previous life as we had a multi XenApp server farm delivering the CRM client to MAC and other mobile device users. This was a XenApp environment in which we were redirecting the appdata folder, the application would randomly hang and led to a lot of service calls being logged. You will find this with a lot of older or badly designed applications that have been written with the expectation that the appdata folder is on a local drive.
This is a great article by Ryan Gallier on citrixirc.com called XenApp 6/6.5 Profile Optimization in which he redirects all folders except appdata and uses Citrix User Profile Manager to include/exclude specific application files/folders in the appdata folder as required.
Whether or not you choose to roam appdata will be a decision based on your own environment, in this scenario I am not going to as I will be including Ryan’s suggestions as examples of how to include/exclude specific files and folders with Citrix User Profile Manager. Unfortunately most admins live in a world without Unicorns and guaranteed gigabit speeds between their servers (which also happen to have super-fast fibre attached SANs) As a result I felt it would be more useful for the purposes of this blog series not to roam appdata and examine file/folder exclusion/inclusion using the UPM policy template so kindly provided to the general public by Ryan instead.
Having decided how we will deal with appdata I will proceed with showing you how to roam the rest of your user folders. If you are a reader of this blog series you will remember we previously created a WindowsUsers GPO
You will find Folder Redirection under your chosen GPO under User Configuration -> Policies -> Windows Settings -> Folder Redirection as per the screenshot below
Then right click on the folder you have chosen to redirect and click properties (in this case documents) Under the Target tab leave the Setting: at Basic and under Target folder location chose to create a folder for each user under the root path and for the Root Path use the UNC path to the share you created for redirected folders earlier in the post. As per the example below this will create a user specific folder for each logged in user.
Under settings you can leave the options as below unless you have a reason to change them.
You will get the warning below for which you can just click yes as this isn’t applicable in this case
The properties for all the folders that can be redirected using Group Policy are all largely identical except for Pictures Music and Videos which you can set to be created as sub folders under Documents rather than having a folder created under %userprofile%.
Now that you have created your shares for both your roaming profiles and redirected folders and added folder redirection policies under the WindowsUsers GPO the next step will be to install Citrix Profile Manager on each of your XenApp Application Servers and then configure it according to your needs using the Citrix Profile Manager Group Policy template. As I think you will have quite a lot to digest in the current post I will continue this topic in my next entry. Thanks for reading.