VMware & Teradici: Changing Desktop Support

It has been a long time since I have posted anything on my blog. It’s not laziness, it has just been terribly crazy at work and I have decided to write a novel – which I’m 180,000 words into – so, uh, well, there you go!

I wanted to give you some information on how I have been configuring the end user experience for our users. This has completely changed the way we deploy and support desktops.

First of all, we’re running VMware View. This makes provisioning desktops quick and smooth. In fact, I provisioned thirty desktops yesterday and have them ready to deploy…..by myself.

The second part is very cool. We’re using Samsung NC191 all-in-one zero clients. The monitors on these things are crisp and have met with rave reviews from our users. But the cool part is the more recent firmware revisions for the Teradici chip allow you to set the zero client to auto-login with Active Directory credentials and auto-connect to a virtual desktop upon login.

Now, my technicians can deploy the Samsung and walk away. When I get the VM provisioned, I can jump out to the Teradici management console and reset the device. When the device comes back online, it autologs as the user and auto-connects to the VM. The beautiful part is that I don’t have to send someone to connect it up for the first time. It’s true centralized management and less burned shoe-leather! Big time savings for me and for my techs. Two thumbs up on this solution.

Until Next Time!

Techmill

Black Boxes of Terror

Recently, I’ve been noticing black boxes on the screens of my thin clients connected to VMware View desktops. These boxes will go away upon rebooting the thin client but come back some time later.

Here’s the fix. The black boxes are due to bitmap caching being turned on across your VDI or View session. If you’re using Microsoft Terminal Services (mstsc.exe), then you can turn this off. It’s a registry hack for VMware View users. So, here it is:

[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Client\RDP Settings]
“BitmapPersistence”=”false”
“CachePersistenceActive”=”false”

I imported this into the registry on my thin clients (Windows XPe) and the black boxes went away.

Until Next Time

Techmill

SAN Performance versus Anti-Virus

Over the last couple of months, I’ve been pressed to do more with less when it comes to our SAN. So, I started digging to find out how I can optimize and slim down my virtual desktops so that they take up less SAN overhead.

I made several changes in order to accomplish this, but my biggest and most advantageous change was when I manipulated the way our Anti-Virus operates. Here are some changes that I made that you might find helpful in your enterprise:

1.) I lumped all virtual desktops together in one folder in our anti-virus management console. (Our Vm’s are XP SP3)

2.) Then I changed them from a push to a pull method for updates. Basically, the virtual desktops poll the server every 4 hours looking for an update rather than the server just dumping updates to everything once it receives one.

3.) Then I set a 4 hour randomization variable. So, now, all VM’s ask the server for updates every 4 hours and then it installs the updates to the VM at a random time within the 4 hour window.

4.) I turned off enterprise scanning on VM’s. Our AV server was scanning everything every Monday night at 8pm. It was a big drag on the SAN. So, we still scan the physical machines but not the VM’s.

5.) I turned off proactive network scanning for the VM’s. This feature basically scans everything that comes through the NIC. On virtual machines, this translates to SAN read/writes and some latency.

We saw a dramatic drop in SAN traffic after doing these few things. Don’t forget to plan and analyze your anti-virus solution prior to rolling out a virtual desktop solution.

Until Next Time

Techmill

Zero Clients: Re-inventing Desktops

In recent years, desktop computing has come full circle and we are once again looking at ways to run slim and secure at the desktops. Virtualization technologies such as VMware and Citrix have paved the way significantly.

Over the last year, I have been immersed in converting old stand-alone thin clients over to VMware View connected thin clients. This has worked relatively well but there have still been a few issues that have caused gray hairs to pop out of my beard. We still receive Helpdesk calls that say, “I don’t know which desktop I’m looking at – my thin client desktop or my VM desktop.” We still have occasional disconnects, some of which are related to terminal services time-outs. My biggest hurdle has been changing our support staff’s mind-set so that they understand and comprehend how a VMware delivered desktop works.

It was with all of this in mind that I began exploring alternatives. It didn’t take long for the “Zero-Client” to immerge as a viable replacement for thin clients and PC’s. I have tried out two models and I like them both but have scratched one from my list:

Samsung NC190/240 – This is an all-in-one solution that basically embeds a zero client into a nifty 19″ monitor. The PCoIP chip worked to perfection and I really loved the fact that it was an all-in-one unit. It could be added onto as the monitor itself supported multiple monitors, had USB ports, as well as audio ports, and carried a 3 year warranty to boot. It was scratched from my list for the one and only flaw I could find. There was no way to lock or hide the management menu from users – meaning that users could tweak away and “break” stuff. If this one flaw is not an issue for you, then I would recommend this solution for your review. Here’s the link: http://www.samsung.com/us/function/search/espsearchResult.do?keywords=zero+client&input_keyword=zero+client

Wyse P20 – This solution is probably what I will settle on. It’s not an all-in-one solution, but it does provide the ability to lock down the config menu and it’s made specifically for VMware View. With View’s redirection, I had a USB printer, Scanner, USB hub, speakers, and two USB drives connected to this guy in addition to the mouse and keyboard. Everything worked flawlessly. This solution definitely has my attention. I suggest you check it out: http://www.wyse.com/products/hardware/zeroclients/P20/index.asp

Provide robust desktop experience while securing the enterprise…hmmm…sounds like a worthwhile investment for some serious research…

Until Next Time

Techmill

VMware View 4.0 – Where did my space go?

I was minding my own business the other day and updating my ESX servers when, without warning, my VMware View Administration Console let me know that the datastores that they are using were out of disk space. I jumped out to vCenter to find that I had over 300 GB of space left. Scratching my head, I began to dig around for issues. I did the obvious reboot of vCenter and reboot of my connection server but the problem persisted. Finally I found the cause.

There is a known issue with the View Admin console not detecting the datastores while one of the ESX servers is in maintenance mode. I took my ESX server out of maintenance mode and, voila!, it could see the datastores again and the pools were fat and happy. Here’s the official link from VMware: http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&externalId=1013229

Until Next Time

Techmill

What’s in a Cert?

Happy April! I’m running a little behind in posting due to projects going on at work. Today, I wanted to just ramble a little bit about IT certifications.

There has been much discussion lately to debate whether or not IT certifications are still all they are cracked up to be. While you have to be careful to balance certifications with experience, don’t write them off. If you were on an airplane, which would you rather have; a pilot that had flown for a long time but had no pilot’s license or a pilot that had both experience and a license? Get my drift? With this in mind, here are some certs that I personally believe are still worth their salt:

VMware VCP – Virtualization is the big buzz right now and probably will be for years to come. Be prepared to know about virtualization and prove it with a cert.

Microsoft – Whether you love or hate “Big Blue”, the fact is that most infrastructures include some Microsoft products. So whether you’re an engineer or a desktop support tech, I would recommend including at least one Microsoft cert to your resume.

CompTIA Security+ – Even if you’re not the person responsible for security, I recommend this certification as it will change the way you think. When I obtained this cert, I began to analyze everything that I do from a security perspective. That is a very valuable quality.

CCNA – Cisco is the leader and probably the most widely used vendor of networking equipment. As long as this is true, you can’t go wrong with a Cisco cert…AS LONG AS it is balanced with some hands-on experience.

Project Management – There are a few flavors of this cert out there that range from more general and simple to the more difficult and complex. A balance of tech skills and project management skills can very quickly put you in demand.

College Degrees – This is the most difficult to obtain. Also, from my experience, they do very little to help you with the hands-on experience. However, they are great tools to get you recognized. My current employer would not have even interviewed me without a CIT degree. Also, many organizations require a degree before they will consider you for management positions.

There are many more but these certs made my highlight reel. I would be interested in hearing the certs that make your list or the ones that you would stay away from.

Until Next Time

Techmill

VMware View Black Screen of No Connectivity

OK…so here’s the issue. Using VMware View 4.0, I could connect internally every time. However, externally, the connection would act like it was going to work, then a black screen, and then a complete disconnect. After much grumbling and trying new things, I reluctantly opened a case with VMware…only to find out that this was not a problem with my external portal at all but a known issue with the View agent.

According to VMware, the issue is that the VM doesn’t like changing protocols from PCoIP to RDP and vice versa without a reboot in between. I was connecting via PCoIP internally and by RDP externally. I tested this theory by connecting internally to a VM, rebooting it, and then connecting externally. It worked perfectly.

Since my issue, VMware has released a new version of the agent that fixes this problem. I believe that the “fixed” version is 4.0.1 and the build for the executable would read like this: VMware-viewagent-4.0.1-233023. This is available from VMware’s site.

Until Next Time

Techmill

The Magic IE8 Uninstaller

The other day I was just sitting here, minding my own business, when a collegue of mine called. He was frantically trying to uninstall Internet Explorer 8 and roll back to his previous version. It seems that he had installed IE8 by mistake and it had “broken” some of his proprietary web applications due to incompatibility. He had looked under add/remove programs but there was not an entry there to uninstall IE8. Microsoft dude to the rescue again! There is a hidden uninstaller for IE8. Calm your ulcers and follow these instructions.

1.) Open a command prompt
2.) Navigate to %windir%\ie8\spuninst
3.) Type spuninst.exe and then hit Enter
4.) When it’s finished, reboot your computer.

I haven’t tested to see if this uninstaller will run from Windows explorer rather than command prompt. It probably will. It’s something I need to test but just haven’t had the time.

This same tactic can be used to uninstall service packs IF THEY HAVE BEEN ADDED ON. For example: If you install Windows XP with service pack 3 already added in, this won’t work. However, if you add on service pack 3 and then want to remove it, you should be able to find a similar folder with a SP uninstaller. I think in this example it would be something like %windir%\SP3\spuninst.

Until Next Time

Techmill

MAC Address Spoofing Made Easy

Happy Monday! This weekend, I was at home tinkering around with a laptop and wanted to get it on the internet to do Windows update. The problem is that I use MAC filtering at home and I didn’t feel like getting into my router and adding the MAC of this laptop. I wanted to spoof the MAC of one of my other workstations but I couldn’t change the MAC through my card’s properties. So, I reached into my stack of useful tricks and pulled this gem out. My laptop is Windows 7 but this should work on Windows 2000, Windows XP, and Windows Vista as well.

MAC ADDRESS SPOOFING

1.) Open regedit and navigate to: HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

2.) There should be numbers in sequence listed under this key. (0000, 0001, 0002, etc) Open each key and check the description in the right pane. Keep going until you find your NIC.

3.) Once you’ve found your NIC, click on “NetworkAddress” in the right pane and change it to the MAC address that you want to spoof. Don’t add any dashes or colons. Just numbers.

4.) Navigate to your device manager and disable/re-enable your NIC.

5.) Open a command prompt and do an ipconfig /all to make sure that your NIC is now using the newly spoofed MAC address.

**NOTE: From step 3, if “NetworkAddress” is not there, then you can add it as a new string value.

That’s it! It’s a quick and helpful tip that will allow you to dynamically change your MAC address on your Windows workstation boxes. If you ever need to revert back, then you can delete that string or set it back to the values that were there before you spoofed it. Enjoy!

Until Next Time

Techmill

Active Directory Authentication Slowness & Kerberos

OK, so here’s the scenario. I’ve setup two Microsoft Domain Controllers. Both are running Windows Server 2008 and the domain is Server 2008 native functional level. Both servers reside on our datacenter network. As long as I join the domain and authenticate from other machines (physical and virtual) that reside on the same network, everything works perfectly. However, if I jump over to our VLAN where our desktops reside, it takes roughly fifteen minutes to authenticate. (again, both physical and virtual machines show the same behavior) Once authentication happens, the desktop is perfectly responsive.

After many days of searching, I found the problem. Kerberos. That’s right…Kerberos. In a nutshell, traffic is occurring over UDP, packets become fragmented, packets arrive out of order, system doesn’t know what to do with them, system drops packets. Rinse and repeat. There is a registry setting that you can create that will cause this Kerberos traffic to always use TCP and perfectly fixes the above scenario. Here are the steps:

1.) Open regedit
2.) Navigate to KLM\system\currentcontrolset\lsa\kerberos
3.) Create a new key under Kerberos called Parameters
4.) Under the parameters key, create a new DWord Value and name it MaxPacketSize
5.) Edit MaxPacketSize and change the 0 to 1 in the Value Data box and then change it to use decimal
6.) Exit regedit and reboot

If you would like to know more about this, check out the following link from Microsoft. They’re the pros so I urge you to read what they have to say about it. http://support.microsoft.com/kb/244474

Until Next Time

Techmill