此文来自Citrix Support文件 CTX117248。

Troubleshooting Virtual Desktop Agent Registration with Controllers in XenDesktop



Document ID: CTX117248 / Created On: 2008-5-19 / Updated On: 2012-6-12

Summary

The Desktop Delivery Controller (DDC) relies upon a software component installed upon each Virtual Desktop Machine (VDM) - the Virtual Desktop Agent (VDA) - being in communication with one of the controllers in your XenDesktop farm. This state of being in communication is referred to the VDA as being registered with the controller. If communication fails for any reason, it means that the VDA has failed to register with a controller and it would not be possible for the DDC to broker a connection to the VDM in question; and the VDM becomes an unusable resource.


在每个虚拟桌面(VDM)都会安装Agent程序(VDA),并通过这个Agent与Xendesktop场中的某一DDC控制器进行通信。这种通信可以看做某个VDA在向控制台注册。如果通信失败,VDA就无法向控制台注册,那么虚拟桌面就无法与DDC建立正确的代理关系,而无法发布出去。


The VDA logs issues with registration in the event log, as displayed in the following example:


在windows日志文件里可以看到如下注册失败的记录:


对虚拟桌面未注册情况的诊断

The following screen shot displays the three most recent event log entries in this example, that is, Information, Warning, and Error:


以下是各个日志详情:


对虚拟桌面未注册情况的诊断

If the VDM has been added to a desktop group in your DDC farm, you can also see evidence of the VDA failing to register with any controllers in the farm in the Access Management Console's Virtual Desktops view. The Desktop State column provides information about the registration state of the desktop machine; values of Not Registered or Pending indicate that registration has not successfully completed. The following screen shot highlights an example of this (highlighted in yellow):



如果该虚拟桌面属于Xendesktop场的桌面组,我们可以通过Xendesktop管理控制台上看到VDA的注册失败信息。在计算机的桌面状态VDA的注册状态。未注册或挂起状态都说明注册未成功。下图为控制台显示的情况:



对虚拟桌面未注册情况的诊断

Troubleshooting Registration Problems

CTX123278 – XDPing Tool is a support diagnostic tool which has been designed to troubleshoot VDA registration issues. It runs through a number of systematic checks to verify and detect a number of common problems typically associated with the VDA registration issues.



CTX123278 – XDPing 工具专用于诊断VDA注册问题,运行后会进行系统的验证,以及检测一些比较典型的VDA注册问题。



Virtual Desktop not added to the correct farm

Whenever you notice VDA event log entries on the worker suggestion registration failure, ensure to that the VDM is properly added to the correct DDC farm. This needs to be done from both the point of view of the virtual desktop system and of the DDC farm itself.

  1. 1. Check in the Access Management Console for the farm that the virtual desktop’s machine name is in one of the desktop groups.

  2. 2. Check that the VDA is a member of the correct farm. You can get this information from the event log entry that gives the Globally Unique Identifier (GUID) of the base Organizational Unit (OU) the VDA uses:


当你在VDA事件日志中发现注册失败时,首先确定虚拟桌面是否正确的加入Xendesktop场中。从下面两点观察:

1.检查Xendesktop 管理控制台,确认该虚拟桌面是否在桌面组中。

2.检查VDA是否属于正确的场。在日志中可以找到VDA所用OU的GUID信息,如下图示:



对虚拟桌面未注册情况的诊断

3. Check in the Access Management Console for the farm that the value of the GUID shown matches with the farm’s read-only properties:


3.在Xendesktop管理控制台中的场属性中,可查看GUID值是否匹配。



对虚拟桌面未注册情况的诊断

Note: If the GUID on the VDA does not match the GUID in the Access Management Console of the farm, the VDA is configured to be in a different farm. A VDA’s farm membership can be set through group policy (using the ADM template file FarmGUID.adm supplied in the installation media), or during installation (in which case the value is written into the registry string HKLM\SOFTWARE\Citrix\VirtualDesktopAgent\FarmGUID).


注意:如果场的GUID值与VDA上的GUID值不匹配,则说明该VDA在另一个场中。VDA可以通过组策略设置(安装介质中的FarmGUID.adm策略模板)或者在安装时设置,(此时该值将写入注册表HKLM\SOFTWARE\Citrix\VirtualDesktopAgent\FarmGUID中)



4.Correct the farm setting of the VDA and restart it to see if registration is now possible.



4.设置好后,重启虚拟桌面,再观察是否可以注册。



Virtual Desktop Firewall not properly configured

Registration fails if the firewall on the Virtual Desktop Machine has not had the appropriate exclusions configured to enable DDC’s communication. As an experiment, you should try disabling all firewall software on the VDM and restart it. If registration now succeeds, the problem points to misconfiguration of the firewall; reconfigure it as explained in the Knowledge Centre article CTX116843 – Desktop Delivery Controller 2.0 Administrator's Guide and re-enable it.
Note
: It is not advisable to run with the firewall that is permanently disabled on Virtual Desktop Machines.


如果虚拟桌面的防火墙没有正确配置,阻止了与DDC控制器的通信,也会导致注册失败。可以做个测试,先将防火墙全部关闭,然后重启虚拟机桌面,观察是否可以顺利注册。若注册成功,则说明是防火墙的原因,需要根据CTX116843—Desktop Delivery Controller 2.0 Administrator's Guide来重新配置防火墙。

注意:虚拟桌面的防火墙不宜全部关闭。


Domain Name Services (DNS) not properly configured

Registration fails if the VDM or the DDC controller sees an incorrect IP address for the other party. Complete the following experiment to see if this is an issue:

  • On both machines, start a command shell window and run the following commands:
    ipconfig
    ping <othermachine.domain.com>

  • Both machines should be able to ping each other successfully by DNS name (this means using the fully qualified domain name (FQDN) including the domain.com bit and not the simple NetBIOS name).
    Crucially, the IP address reported for the remote machine by the ping command in each case should match the IP address reported by the ipconfig command on the relevant machine.

  • If there is any discrepancy, fix the problem with your DNS configuration and restart either the VDM and or the DDC controller, as appropriate.


注册失败的另一个原因是虚拟桌面或DDC控制器得到了错误的IP地址。完成以下测试看是否是这个原因:

  1. 在虚拟桌面和DDC上运行ipconfig命令,ping 对方的FQDN名称。
  2. 虚拟桌面和DDC必须能通过DNS名ping通(这说明在域中使用FQDN名称而不是简单的NetBIOS名)。更重要的是返回的IP地址要与机器的实际IP地址一致。
  3. 如果不匹配,则检查DNS配置方面的问题,并适当重启虚拟桌面或DDC服务器。


Time Synchronization not properly configured

Secure the communication between the VDMs and DDC controllers using Kerberos. This relies upon tickets with a limited life span. If the difference in system time between the two ends of the communication is too great, the tickets will always be considered to have timed out when they are accessed and then the communication fails.

虚拟桌面与DDC控制器之间使用Kerberos机制进行安全通信。而Kerberos验证是依靠一个有限生命周期的票据。如果通信两端的系统时间差异过大,这个票据通常被判断为超时,而导致两端通信失败。


Check that the system time on all systems are within a reasonably small margin (the default domain-wide Kerberos setting is 5 minutes).


检查系统时间,并保证其差异最小化(域内Kerberos验证默认时间为5分钟)。


XenDesktop 5 Controller VDA Registry Key

Verify that the following registry key has correct information:

(x86) HKEY_Local_Machine\Software\Citrix\VirtualDesktopAgent

(x64) HKEY_Local_Machine \Software\Wow6432Node\Citrix\VirtualDesktopAgent

ListOfDDCs REG_SZ

Also view event log entries from Citrix Desktop Service for related information

Powershell example on local VDA Machine

Get-EventLog -Log Application -Source 'Citrix Desktop Service' | fl

Powershell example on remote computer

Get-WinEvent -Computer <machine-name> -Old -Prov 'Citrix Desktop Service' | fl

Where <machine-name> is the DNS name of the Virtual Machine.


Domain Membership problems

Under some circumstances, it appears that the machine (VDM or DDC controller) is a part of the domain, but in fact, it is not (for various reasons). This can cause problems with the secure communication between the VDMs and the DDC controller.


在某种情况下,虚拟桌面或DDC控制器看似域成员,而实际上不是。这样导致虚拟桌面与DDC控制器安全通信出现问题。


Try removing the machines in question from their domains (by temporarily moving them into a workgroup, for example) and then subsequently rejoin them to their domains. When the subsequent system restart has completed, check to see if registration is successful.

尝试将计算机退出域,然后再重新加入域。待重启完成后,观察注册是否成功。


Service Principal Names (SPNs)

Communication between Virtual Desktop Machines and DDC controllers uses Microsoft’s Windows Communication Foundation (WCF). The services implementing the communication endpoints use the computer’s identity. Thus, WCF’s mutual authentication model uses the SPN associated with the respective computer accounts (by default, HOST/host’s-fully-qualified-domain-name). The DDC determines the virtual desktop’s SPN by inspecting the servicePrincipalName attribute of the associated computer account in Active Directory.


虚拟桌面与DDC控制器的通信使用了微软的WCF接口。该服务使用了各自的计算机身份ID,这样WCF的相互验证模式使用的是各自计算机账户相关的SPN(默认是计算机的FQDN名称)来实现通信。DDC通过检查AD域中相关计算机账户的servicePrincipalName 属性,来确认虚拟桌面的SPN信息。


You can inspect the virtual desktop’s computer account using tools such as Active Directory Explorer. If the servicePrincipalName attribute does not include an entry with the computer’s FQDN, try editing it manually and check to see if that fixes registration problems.

我们可以通过AD Explorer工具查看虚拟桌面的计算机账户属性。如果其 servicePrincipalName 属性不是计算机的FQDN名称,手动编辑后观察注册问题是否已解决。


Multiple Network Adapters

If the virtual desktops contain multiple network adapters that can be used to communicate with the DDC, this might cause the security negotiation to fail. In that case, try disabling all network adapters except for the one used to communicate with the DDC.


如果虚拟桌面包含了多个网卡与DDC通信,这可能导致安全协商机制失败。可以尝试关闭其他网卡,只留一个网卡用于DDC的通信。


Local Security Policy Settings

In case of some p_w_picpaths, especially military p_w_picpaths, the restrictive security policy settings might prevent the VDA from registering. See http://helpdeskgeek.com/how-to/reset-local-security-policy/ for details on how to reset security policy settings to their defaults.


某些镜像,尤其是军事镜像,里面的安全策略限制设置可能影响VDA的注册,可将这些安全策略设置回默认设置,详情见: http://helpdeskgeek.com/how-to/reset-local-security-policy/


This document applies to:

此文来自Citrix Support文件 CTX117248。

Troubleshooting Virtual Desktop Agent Registration with Controllers in XenDesktop



Document ID: CTX117248 / Created On: 2008-5-19 / Updated On: 2012-6-12

Summary

The Desktop Delivery Controller (DDC) relies upon a software component installed upon each Virtual Desktop Machine (VDM) - the Virtual Desktop Agent (VDA) - being in communication with one of the controllers in your XenDesktop farm. This state of being in communication is referred to the VDA as being registered with the controller. If communication fails for any reason, it means that the VDA has failed to register with a controller and it would not be possible for the DDC to broker a connection to the VDM in question; and the VDM becomes an unusable resource.


在每个虚拟桌面(VDM)都会安装Agent程序(VDA),并通过这个Agent与Xendesktop场中的某一DDC控制器进行通信。这种通信可以看做某个VDA在向控制台注册。如果通信失败,VDA就无法向控制台注册,那么虚拟桌面就无法与DDC建立正确的代理关系,而无法发布出去。


The VDA logs issues with registration in the event log, as displayed in the following example:


在windows日志文件里可以看到如下注册失败的记录:


对虚拟桌面未注册情况的诊断

The following screen shot displays the three most recent event log entries in this example, that is, Information, Warning, and Error:


以下是各个日志详情:


对虚拟桌面未注册情况的诊断

If the VDM has been added to a desktop group in your DDC farm, you can also see evidence of the VDA failing to register with any controllers in the farm in the Access Management Console's Virtual Desktops view. The Desktop State column provides information about the registration state of the desktop machine; values of Not Registered or Pending indicate that registration has not successfully completed. The following screen shot highlights an example of this (highlighted in yellow):



如果该虚拟桌面属于Xendesktop场的桌面组,我们可以通过Xendesktop管理控制台上看到VDA的注册失败信息。在计算机的桌面状态VDA的注册状态。未注册或挂起状态都说明注册未成功。下图为控制台显示的情况:



对虚拟桌面未注册情况的诊断

Troubleshooting Registration Problems

CTX123278 – XDPing Tool is a support diagnostic tool which has been designed to troubleshoot VDA registration issues. It runs through a number of systematic checks to verify and detect a number of common problems typically associated with the VDA registration issues.



CTX123278 – XDPing 工具专用于诊断VDA注册问题,运行后会进行系统的验证,以及检测一些比较典型的VDA注册问题。



Virtual Desktop not added to the correct farm

Whenever you notice VDA event log entries on the worker suggestion registration failure, ensure to that the VDM is properly added to the correct DDC farm. This needs to be done from both the point of view of the virtual desktop system and of the DDC farm itself.

  1. 1. Check in the Access Management Console for the farm that the virtual desktop’s machine name is in one of the desktop groups.

  2. 2. Check that the VDA is a member of the correct farm. You can get this information from the event log entry that gives the Globally Unique Identifier (GUID) of the base Organizational Unit (OU) the VDA uses:


当你在VDA事件日志中发现注册失败时,首先确定虚拟桌面是否正确的加入Xendesktop场中。从下面两点观察:

1.检查Xendesktop 管理控制台,确认该虚拟桌面是否在桌面组中。

2.检查VDA是否属于正确的场。在日志中可以找到VDA所用OU的GUID信息,如下图示:



对虚拟桌面未注册情况的诊断

3. Check in the Access Management Console for the farm that the value of the GUID shown matches with the farm’s read-only properties:


3.在Xendesktop管理控制台中的场属性中,可查看GUID值是否匹配。



对虚拟桌面未注册情况的诊断

Note: If the GUID on the VDA does not match the GUID in the Access Management Console of the farm, the VDA is configured to be in a different farm. A VDA’s farm membership can be set through group policy (using the ADM template file FarmGUID.adm supplied in the installation media), or during installation (in which case the value is written into the registry string HKLM\SOFTWARE\Citrix\VirtualDesktopAgent\FarmGUID).


注意:如果场的GUID值与VDA上的GUID值不匹配,则说明该VDA在另一个场中。VDA可以通过组策略设置(安装介质中的FarmGUID.adm策略模板)或者在安装时设置,(此时该值将写入注册表HKLM\SOFTWARE\Citrix\VirtualDesktopAgent\FarmGUID中)



4.Correct the farm setting of the VDA and restart it to see if registration is now possible.



4.设置好后,重启虚拟桌面,再观察是否可以注册。



Virtual Desktop Firewall not properly configured

Registration fails if the firewall on the Virtual Desktop Machine has not had the appropriate exclusions configured to enable DDC’s communication. As an experiment, you should try disabling all firewall software on the VDM and restart it. If registration now succeeds, the problem points to misconfiguration of the firewall; reconfigure it as explained in the Knowledge Centre article CTX116843 – Desktop Delivery Controller 2.0 Administrator's Guide and re-enable it.
Note
: It is not advisable to run with the firewall that is permanently disabled on Virtual Desktop Machines.


如果虚拟桌面的防火墙没有正确配置,阻止了与DDC控制器的通信,也会导致注册失败。可以做个测试,先将防火墙全部关闭,然后重启虚拟机桌面,观察是否可以顺利注册。若注册成功,则说明是防火墙的原因,需要根据CTX116843—Desktop Delivery Controller 2.0 Administrator's Guide来重新配置防火墙。

注意:虚拟桌面的防火墙不宜全部关闭。


Domain Name Services (DNS) not properly configured

Registration fails if the VDM or the DDC controller sees an incorrect IP address for the other party. Complete the following experiment to see if this is an issue:

  • On both machines, start a command shell window and run the following commands:
    ipconfig
    ping <othermachine.domain.com>

  • Both machines should be able to ping each other successfully by DNS name (this means using the fully qualified domain name (FQDN) including the domain.com bit and not the simple NetBIOS name).
    Crucially, the IP address reported for the remote machine by the ping command in each case should match the IP address reported by the ipconfig command on the relevant machine.

  • If there is any discrepancy, fix the problem with your DNS configuration and restart either the VDM and or the DDC controller, as appropriate.


注册失败的另一个原因是虚拟桌面或DDC控制器得到了错误的IP地址。完成以下测试看是否是这个原因:

  1. 在虚拟桌面和DDC上运行ipconfig命令,ping 对方的FQDN名称。
  2. 虚拟桌面和DDC必须能通过DNS名ping通(这说明在域中使用FQDN名称而不是简单的NetBIOS名)。更重要的是返回的IP地址要与机器的实际IP地址一致。
  3. 如果不匹配,则检查DNS配置方面的问题,并适当重启虚拟桌面或DDC服务器。


Time Synchronization not properly configured

Secure the communication between the VDMs and DDC controllers using Kerberos. This relies upon tickets with a limited life span. If the difference in system time between the two ends of the communication is too great, the tickets will always be considered to have timed out when they are accessed and then the communication fails.

虚拟桌面与DDC控制器之间使用Kerberos机制进行安全通信。而Kerberos验证是依靠一个有限生命周期的票据。如果通信两端的系统时间差异过大,这个票据通常被判断为超时,而导致两端通信失败。


Check that the system time on all systems are within a reasonably small margin (the default domain-wide Kerberos setting is 5 minutes).


检查系统时间,并保证其差异最小化(域内Kerberos验证默认时间为5分钟)。


XenDesktop 5 Controller VDA Registry Key

Verify that the following registry key has correct information:

(x86) HKEY_Local_Machine\Software\Citrix\VirtualDesktopAgent

(x64) HKEY_Local_Machine \Software\Wow6432Node\Citrix\VirtualDesktopAgent

ListOfDDCs REG_SZ

Also view event log entries from Citrix Desktop Service for related information

Powershell example on local VDA Machine

Get-EventLog -Log Application -Source 'Citrix Desktop Service' | fl

Powershell example on remote computer

Get-WinEvent -Computer <machine-name> -Old -Prov 'Citrix Desktop Service' | fl

Where <machine-name> is the DNS name of the Virtual Machine.


Domain Membership problems

Under some circumstances, it appears that the machine (VDM or DDC controller) is a part of the domain, but in fact, it is not (for various reasons). This can cause problems with the secure communication between the VDMs and the DDC controller.


在某种情况下,虚拟桌面或DDC控制器看似域成员,而实际上不是。这样导致虚拟桌面与DDC控制器安全通信出现问题。


Try removing the machines in question from their domains (by temporarily moving them into a workgroup, for example) and then subsequently rejoin them to their domains. When the subsequent system restart has completed, check to see if registration is successful.

尝试将计算机退出域,然后再重新加入域。待重启完成后,观察注册是否成功。


Service Principal Names (SPNs)

Communication between Virtual Desktop Machines and DDC controllers uses Microsoft’s Windows Communication Foundation (WCF). The services implementing the communication endpoints use the computer’s identity. Thus, WCF’s mutual authentication model uses the SPN associated with the respective computer accounts (by default, HOST/host’s-fully-qualified-domain-name). The DDC determines the virtual desktop’s SPN by inspecting the servicePrincipalName attribute of the associated computer account in Active Directory.


虚拟桌面与DDC控制器的通信使用了微软的WCF接口。该服务使用了各自的计算机身份ID,这样WCF的相互验证模式使用的是各自计算机账户相关的SPN(默认是计算机的FQDN名称)来实现通信。DDC通过检查AD域中相关计算机账户的servicePrincipalName 属性,来确认虚拟桌面的SPN信息。


You can inspect the virtual desktop’s computer account using tools such as Active Directory Explorer. If the servicePrincipalName attribute does not include an entry with the computer’s FQDN, try editing it manually and check to see if that fixes registration problems.

我们可以通过AD Explorer工具查看虚拟桌面的计算机账户属性。如果其 servicePrincipalName 属性不是计算机的FQDN名称,手动编辑后观察注册问题是否已解决。


Multiple Network Adapters

If the virtual desktops contain multiple network adapters that can be used to communicate with the DDC, this might cause the security negotiation to fail. In that case, try disabling all network adapters except for the one used to communicate with the DDC.


如果虚拟桌面包含了多个网卡与DDC通信,这可能导致安全协商机制失败。可以尝试关闭其他网卡,只留一个网卡用于DDC的通信。


Local Security Policy Settings

In case of some p_w_picpaths, especially military p_w_picpaths, the restrictive security policy settings might prevent the VDA from registering. See http://helpdeskgeek.com/how-to/reset-local-security-policy/ for details on how to reset security policy settings to their defaults.


某些镜像,尤其是军事镜像,里面的安全策略限制设置可能影响VDA的注册,可将这些安全策略设置回默认设置,详情见: http://helpdeskgeek.com/how-to/reset-local-security-policy/


This document applies to:

本文转载于cofferwu的新浪博客:http://blog.sina.com.cn/s/blog_64da692d01015fdn.html;转载请保留作者出处。