Ask Aresh

If you have a VMware VSAN environment and you wanted to export a App Volumes - Writable Volumes from the vsanDatastore to another datastore, storage or for VMware GSS/R&D for further analysis go ahead and read further! Background – The traditional way of exporting the Writable Volumes from the source vsanDatastore was to attach the *. vmdk to a dummy VM as a “ Existing Hard Disk ” and export the dummy VM using the “ Export OVF Template ” option from the vCenter. Repeat all the steps on target datastore where-in it needs to be imported. However, if you want an alternate and easy method than the dummy VM then follow the below steps. Step by Step Instructions: -- SSH to any ESXi Host Resource Cluster where the WV is stored and browser to the cloudvolumes/writable directory location : # cd /vmfs/volumes/vsanDatastore/cloudvolumes/writable (This is the location where all end-user writable volumes are stored) -- Now search for the end-user (E.g twood) for which you want to exp...

In your Virtual Desktop Infrastructure with the following configurations: Horizon 7.x – Floating Desktop Pool App Volumes 2.x – Writable Volumes UIA+Profile McAfee Agent 5.x and McAfee VSE 8.x in your Master Image If you start noticing 100 % -   CPU Usage   for prolonged period of time and the Horizon Session getting disconnected from time to time after launch then you might need to include the following exclusion within your Writable Volumes (UIA+Profile) snapvol.cfg file: #McAfeeExclusion exclude_process_path=\Program Files\Common Files\McAfee\SystemCore My colleague Daniel Bakshi has written an extensive blogpost on how to modify the snapvol.cfg for individual or group of end-users please reference it to make the necessary changes - Using the VMware App Volumes snapvol.cfg File to Customize Writable Volumes I hope you will find these exclusion useful and will help you resolve a similar issue a lot quicker. A big thanks to Art Rothstein in helping to troubleshoot and...

If you have a VMware VSAN environment and you wanted to capture a memory dump of the Virtual Machine for debugging or want to provide memory.dmp to VMware GSS or R&D for further analysis go ahead and read further! Use Case – In our scenario had a few VDI Desktops running Windows 10 1607 + Horizon 7.3.1 + App Volumes Writable Volumes 2.13.1 + UEM 9.2.1 that were getting into unresponsive state. As a last resort we wanted to capture the memory dump to find out more what is causing the VM to get unresponsive. Step by Step Instructions: -- Using the vCenter console select the Virtual Machine VM – Power – Suspend -- This will create the *.vmss and *.vmem file for Debugging. (Note the *.vmem file is applicable for ESXi 6.0 onwards) -- Make a note of the ESXi host Name/IP for the VM is in Suspend state -- SSH to the ESXi Host and browser to the VM Directory location : # cd /vmfs/volumes/vsanDatastore/od-av-troub-1 (Where “od-av-troub-1” is the VM name) -- Now lets op...

If you are using F5 LTM in the DMZ to load balance (LB) the VMware Unified Access Gateway (UAG) appliance, it is very important to use the iAPP or the F5 Deployment guide to set the Persistence Profile options properly or/else you might end up with issues. Background: The F5 LTM VIP for UAG Appliance was created manually without using the f5_vmware_view   iApp and the Persistence Profile settings were manually configured. (I highly recommend to use the iApp and go through the F5 deployment guides) Issue1 : The BLAST connection fails in the backend. The original SessionID request was going to UAG1 and due to the LB in the front the next request for the same SessionID was going to UAG2. Log Snippet UAG1: [2017-XX-XX 12:50:33.428] [INFO]    2289 [absg-master] - Added route 810DF5FF-*** to target 10.x.x.x|22443 Log Snippet UAG2: [2017-XX-XX 12:50:35.589] [ERROR]    2723 [absg-worker] - Failed to resolve proxying route: 810DF5FF-*** As noted above the ...

If you have deployed Horizon TrueSSO feature within your environment. Then the most obvious question is how do you troubleshoot during issues? Let me give you some tips and tricks around troubleshooting TrueSSO aka Enrollment Server feature: If you have two teams split one team managing the Active Directory/Certificate Services and other team managing Horizon infrastructure. Then following are the tips for the Horizon Admins. Install the Microsoft RSAT tools on your domain joined machine or Enrollment Servers and install the AD Certificate Services Tools . This will provide you the ability to see the following snap-ins in read-only mode: Enterprise PKI – Allows you to check the CDP and CRL and Issuing CA Status Certificate Templates – TrueSSO, Enrollment Agent (Computer) Templates etc. Make sure to Enable the Trace logging on the Enrollment Servers and Horizon Agent (within master image) during troubleshooting. It will provide additional details on the error message [HKEY_LOCAL_MACH...

Recently got an opportunity to deploy the VMware Horizon TrueSSO within our environment. TrueSSO provides user with the True SSO (single sign-on) feature, after users log in to VMware Identity Manager (WorkSpaceOne) using a RSA SecurID authentication(optional), users are not required to enter Active Directory credentials in order to use virtual desktop or hosted application. Let me share my top 10 lessons learnt from the deployment: In the production deployment recommend to size the Enrollment Server Windows VM as same as the Connection Server(ES role is not very resource intensive) CPU - 4 vCPU Memory – 10 GB RAM HDD – 80 GB Make sure the “Group Scope” is selected as “ Universal ” for the  Active Directory Group in which the Enrollment Server - Computer Account is added On the newly created TrueSSO template (SmartCard Login and Client Authentication) make sure under the Security Tab “Authenticated Users” group has Read permissions and The Active Directory group for the Enrollment ...

With a lot of enterprises in the middle of the WannaCry and NoPetya vulnerability. If you are running a enterprise VDI environment the fix is pretty simple. Just target your Master VM or Golden Master images and run the Windows Update . Once you have updated the image simply Recompose or Push-Image the desktops pools with the latest updates. Your environment is quickly secured! These vulnerability reiterate the importance of regular patching within the production environments for your Core infrastructure + Master Images. WannaCry Patch for All Windows versions - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx Vulnerability Scanner A quick and easy way to scan your environment is using a free EternalBlue vulnerability scanner . - http://omerez.com/eternalblues/ Simply download the scanner and launch it on a Windows VM of your choice on Windows 7/8.1/10. IP Range: The tool by default tends to select the /24 subnet. However, if you have a bigger subnet like a /19 t...

While creating a RDSH Farm in Horizon 7.2 using View Composer – Linked Clones and Custom Specification Manager the creation would fail on “ Customization ” within the View Administrator console. Upon investigation within the vCenter the Windows Servers 2012 R2 RDS Session host VM’s where not getting a valid IP and receiving the169.x.x.x APIPA addresses. After researching quite a bit the most common solution to the problem was: Un-install and re-install vmwaretools Un-install and re-install Horizon Agent 7.2 on RDS Master Image   After performing the above two steps the issue completely changed from getting 169.x.x.x APIPA address to a proper DHCP server routable address. However, we are getting a different error this time: “ Windows could not finish configuring the system after a generalized sysprep ”. Final Solution Within the master image we were using the MacAfee VSE Agent Patch 7 as the antivirus protection. This particular version was causing the issue with the...

With the latest version of App Volumes 2.12.1 , you don’t have to uninstall the older version of App Volumes Manager. The latest App Volumes Manager 2.12.1 installer takes care of uninstalling, fresh-install and retain all the configuration details and settings automatically for you. During the upgrade I encountered the following error: “Error 1303. The installer has insufficient privileges to access this directory: C:\Program Files(x86)\CloudVolumes\Manager\log. The installation cannot continue. Log on as an administrator or contact your system administrator.” Resolution: In our scenario we have VMware vRealize Log Insight Agent installed on the App Volumes Manager VM’s which is doing Syslog. The Log Insight agent captures the logs(production.log) inside the folder “ C:\Program Files(x86)\CloudVolumes\Manager\log ”. As the service is in the running state, it didn't allow the folder to delete and left a ghost folder on the filesystem. After going into the serv ices.msc and s...

Folks, I have submitted a session for the VMworld 2017 . If you would like to see them go on stage then please vote! My Session: The secret sauce behind VMware’s internal Horizon desktop deployments [1255] Ever asked yourself “How does VMware architect their own global Horizon desktop environment?”, “Have they encountered the same obstacles we are facing?” Over the past two years VMware has been re-architecting and re-deploying their virtual desktop infrastructure with Horizon, App Volumes and User Environment Manager (UEM) running on top of the full VMware SDDC stack (vSphere, VSAN, NSX) and integrating with vRealize Operations Manager and Log Insight. In this session the lead architects will reveal all. Direct Link to my session VOTE HERE : https://my.vmworld.com/scripts/catalog/uscatalog.jsp?search=1255 How to Vote? Create a new account if you don’t have a existing one - https://www.vmworld.com/myvmworld.jspa and click on “Create Account” VMworld 2017 Catalogue Search in VMwor...

If you using VMware UEM for applying ADMX-based Setting and want detailed verbose logs on ADMX then then you will have to add an additional advanced settings in the NoAD.xml file. Background: We were applying an ADMX setting (Desktop Background Wallpaper) and it wasn’t applying on the virtual desktop. The informational logging was not sufficient in deriving the root cause of the issue. Why the AMDX setting was getting skipped? After enabling the verbose logging it started logging additional information that was helpful in arriving to a conclusion. Solution (NoAD.xml) Located under \\FileShare\General\FlexRepository\NoAD subfolder. Setting XML Attribute Comments Enable verbose logging for ADMX-based settings, application blocking, and Horizon policies AdmxLogging="1" Set to 1 to configure Screenshot of the NoAD.xml file: After enabling the setting you will see an additional file called FlexEngine-ADMX.log in the logs folder which will capture all the verb...

If you have desktops deployed via Horizon View 6.x/7.x Instant Clones technology it can get very difficult to collect the Horizon View Agent logs from the desktop VM for troubleshooting/analysis purposes. The moment the end-user logs-off from the desktop it gets into the Status = Disconnected –> Deleting. vCenter Task for log-in and log-off of the desktop vCenter Task for Deleting –> Customizing –> Available The above operations happen very quickly. Suppose in our scenario the desktop was failing on the Status=Customizing (View Administrator). The desktops status would change into the Error state and after couple of seconds get into delete will remain in a loop until the desktop becomes available. This is by design as the Instant Clone is trying to re-create the desktop There was no way to capture the logs for analysis or troubleshooting. Resolution: Now you can disable the recovery of the Instant Clone desktop VM if they are in the Status=Error (Strictly for t...

If you have recently upgraded to Horizon 7.x and use BIG IP APM version 12.1 you may realize that your Apple iPad and iOS devices don't work. The following error message on the Horizon View Client is noticed. (Screenshot from iPad) Error: The Horizon server connection failed. Error the connection timed out. Resolution: In our scenario all the other devices such as Android, Windows etc. was working fine. To fix this problem we had to create a new F5 iRule(Name it F5-APM-iOS-fix): when HTTP_REQUEST { if { [HTTP::header "Origin"] ne "" } { HTTP::header remove "Origin" } } Note : Make sure you apply this iRule on the existing Horizon View iApp or/else it will not allow you to apply the iRule, may get a error message. Reference KB Article: K84958121: Accessing VMware Horizon 7 through the BIG-IP APM system Thanks, Aresh