16-02-15

Elite Implementer Status : A Few Thoughts

Cert_Roadmap_2015Q1_v5_final_WEB

 

(Image taken from vmware.com)

There is a lively thread going on over at LinkedIn regarding the new VCx 6.x tracks that I felt compelled to jot down a few thoughts on. Firstly, once the new track becomes live, the VCAP level certs will be renamed to VCIX (VMware Certified Implementation Expert) and will require two exams as before. One for administration and one for design. So far, so good. Two exams as before, presumably of similar lengths as the VCAPs now with the same core set of skills being measured. However, instead of having two certifications to your name (VCAP-DCx and VCAP-DTx), you’ll have one. Fine, I suppose it makes sense and I don’t have a problem with that.

Now comes the interesting bit – “Elite Implementer status will be granted for candidates who complete multiple VCIX certifications”. I’m glad VMware have recognised the amount of effort and skill required to complete multiple Advanced tracks, however these exams aren’t yet live (I’m guessing it will be  around VMworld time before we see them in the wild) and there are a lot of people out there whose VCAP certifications are current and have completed multiple tracks.

In my opinion, there is no reason why VMware cannot enact this change right now. It costs them nothing and provides recognition to those who have spent a minimum of around 12/14 hours sitting these tough VCAP exams and getting through them. Think about it. Yes, we’d all like to be VCDXs, but the crushing reality is often that this certification requires a level of commitment way over and above anything I’ve seen from any other certification. I simply don’t have the time and energy to commit to around 100-150 hours on putting together a design and submitting it to VMware and then defending it in front of a panel, much as I’d love to.

The VCAP exams are tough, make no mistake. Not only do you need to have “operational” experience with all the respective products, but you also need to have a good understanding of the overlapping ecosystem – such things as third party solutions, Active Directory, Group Policy, storage, networking and more. Anyone with a VCAP cert has been through the mill to get it and deserves a pat on the back. To have both design and administration certs for multiple different VMware technologies elevates you to another level still.

So in short, come on VMware, recognise your multi-track vRockstars now and give them Elite Implementer status. It’s a small gesture that will go a long way and keep existing holders motivated for when the 6.x track comes on line. For more information on the 2105 track announcements, please visit MyLearn.

Comments and opinions are welcome, maybe with enough weight we can make it happen!

 

15-08-14

VCAP-DTA Consolidated Study Guide 1.5 Released

Now that I have finally passed, I’ve been back over the Consolidated VCAP-DTA Study Guide and updated it. I’ve done some small formatting changes so it’s a little easier to read, as well as correcting a few typos I found and adding in the two quick reference tables for PCoIP and Windows image tuning that I blogged about previously. I’ve also added in a few exam tips for those thinking of sitting soon. As this road has now come to a bit of an end, I won’t be maintaining this guide from here on in until the VCAP6-DTA is released, which I expect to be a little way off just yet.

I’ll also update the sample questions guide, but that may follow in a week or so.

Enjoy!

 

14-08-14

VCAP-DTA Exam Experience (Redux)

So I got back about an hour ago from my second sitting of the VCAP-DTA exam in Leeds. As regular readers will know, I sat it a couple of weeks ago and failed. The score report I got back gave me some suggestions on the areas I wasn’t quite so hot on, so I spent some extra time going back over those and making sure I understood them (two factor authentication and group policy settings to name but two). I had the mindset that if I didn’t pass it today, it would be a would be a while before I’d be back as my employer wants me to get up to speed with the latest MCSE track and quickly, meaning I wouldn’t have the bandwidth (or the mental capacity!) to take on both at the same time.

Nor did it help that I was running a little late, I’d had a coffee and an early lunch because as usual, my appointment spanned over lunch time and I didn’t want to get hungry. By the time I set off for the test centre, it was getting close to my appointment time start so I had to run the last couple of hundred yards to make it on time. With that and a coffee swilling around inside me, my eyes were on stalks when the exam started!

I’m not sure how large the pool of questions is, but I did get a few I’d had previously, including some I came a little unstuck on. I tried to move on if I felt I was getting bogged down, with the intention of picking up as many points as possible elsewhere. Somewhat surprisingly, by the time I’d completed question 23, I still had 30 minutes left. So I went back, quickly checking my answers and referring to the admin guide on the ones I was stuck on.

It turned out to be a pretty effective strategy, although I did go back to delete and restart one “answer” I’d started and then ran out of time, as the desktop refresh was a little laggier than last time, and I couldn’t quite complete the task in time.

I came out feeling tense as I thought I’d passed last time and didn’t,  and I was mindful that I hadn’t completed all tasks with the loss of points that entails. Anyway, I got the score report back quickly again (thanks Joshua!) and this time thankfully I’ve passed! So now I have four VCAPs and I can afford to dream of the far off pot of gold that is the VCDX. I’m not going to think about that yet, as I’ve a box full of Microsoft exams to get done before I can get to that. Still, in the words of Peter Venkman, “we came, we saw, we kicked it’s ASS!”

 

G-1136 - We came, we saw, we kicked its ass

 

07-08-14

VCAP-DTA PCoIP Tuning Quick  Reference

Following on from my previous post regarding tuning your Windows 7 image for the purposes of the VCAP-DTA exam, I lifted the following table from the View 5.2 Best Practices guide. In the exam you don’t have a lot of time and you’re probably going to have to tackle a question at some stage about PCoIP performance or be asked to tune it for certain restrictive network conditions. The table below has a handful of settings which should help you go a decent way to getting good marks for this question:-

SETTING

DEFAULT RECOMMENDATION

DESCRIPTION

Build to lossless

On

Turn Off

Enables the ability to enable or disable build to lossless
Session Audio BWlimit

500Kbps

50 – 100Kbps

Reduces bandwidth usage of audio with usable quality
Maximum frame rate

30

Change to 10-15 based on network settings

In WAN conditions, this will be helpful for video playback and fast graphics operations
Maximum sessionbandwidth

n/a

Set per network conditions

Good for better bandwidth estimation
Client side cache size

250MB

Set per client-side memory available

This allows you to configure the client side image cache size

05-08-14

Windows 7 Desktop Tuning Quick Reference

Another item that kicked me a bit in the VCAP-DTA exam (as per the RADIUS post below) was tuning the Windows 7 desktop image for VDI. I mean, that could be a million settings, couldn’t it? Where do you start? You could take the whole of the three hours of the exam tweaking and changing! While going through a View best practices white paper for another piece of work that I’m doing, I came across a handy chart for a handful of basic items you should tune on your Windows 7 desktop, which is a damn sight easier than remembering hundreds of registry keys and group policy settings!

 

PARAMETER CONFIGURATION
vCPU 1 for WinXP and Win7 and Win8

2 for multimedia intensive apps

Memory 512-768 MB for WinXP

1GB for 32-bit Win7 and Win82GB for 64-bit Win7 and Win8

3GB for Win7 and Win8 64-bit for memory-intensive apps

Network adapter VMXnet3, flexible
Storage adapter PVSCSI or LSI Logic SAS
VMware Tools Latest installed
Visual settings “Adjust to best performance”

Disable Animations for Windows Maximize and Minimize operations

Use default cursor for busy and working cursor

Disable services Windows Update, Super-fetch, Windows Index
Group policy settings Disable Hibernation

Screensaver to None

Other settings Turn off clear-type

Disable fading effectsDisable auto-play and external drive caching for quick release

Disable last access timestamps (1)

 

1) Set the registry key HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Filesystem/
NtfsDisableLastAccessUpdate to 1

31-07-14

Configuring RADIUS Two Factor Authentication with Horizon View

One of the things I fell short on in the VCAP-DTA exam was RADIUS and two factor authentication. I hadn’t really done much with it for the thick end of 10 years and when it came to the exam, I just hadn’t worked through it enough to remember what all the moving parts were and how they worked. Once I failed the exam, I wanted to go back and re-review what all the moving parts were, how they hung together and basically how to set it all up from start to finish.

Like most people with home labs, I have a couple of Windows Servers performing multiple roles, including Domain Controller, Certificate Authority etc. One thing you can do to practice configuring RADIUS authentication for Horizon View is to install the Network Policy Server role on one of your Windows boxes and configure RADIUS. When Googling how to do this, I found a really good (and up to date) white paper on VMware’s website with clear and concise instructions about how to configure the Windows Server end and also the Connection Server end to make two factor authentication happen.

Literally from start to finish, the process took no longer than around 10-15 minutes. Well worth a run through before the VCAP-DTA exam to make sure you really understand RADIUS components and how Horizon View hooks into it. The guide also covers RSA Authentication Manager if you want to practice that, but I wouldn’t expect to see that option on the exam. Worth knowing though, just in case.

The white paper (PDF) is available here.

 

30-07-14

VCAP-DTA Consolidated Study Guide 1.4 Available

 

download

 

I did promise on Twitter last week that once I’d got the exam out of the way, I’d take the study notes I’d written so far and put them into one document for easier (and offline) reading. Well I’ve done that. Turns out it was a lot more effort than I thought, but it’s now available from the link in the top menu bar on the VF homepage. There may be errors or typos in there, I checked it the best I could. If you spot anything, let me know via Twitter and I will try and correct it once I’ve validated it.

I’m also writing some exam questions that follow the exam blueprint. Nothing special, but it will hopefully just jog your memory enough to make sure you understand the things you’re being tested on. That’s coming along nicely and should be available by the week’s end.

Hopefully you will find the study guide of use for the exam, all feedback is welcome as I improve it.

 

28-07-14

VCAP-DTA Exam Experience

As most regular readers will know, I sat the VCAP-DTA exam last Friday. The short version is I failed. Only by a few points, but first is first and second is nowhere, as they say. I’d been studying for the exam on and off for seven months and I felt reasonably well prepared for it, but like all good exams, it found my weaker spots and probed them mercilessly.

As usual, I had to travel over the Pennines to Leeds to my nearest VCAP test centre. I don’t mind that so much, it’s an air conditioned train and I can get some quiet time to go back over my study notes and make sure I’ve got it all fresh in my mind. The exam itself is 23 questions (many with subtasks) over 3 hours. I say this all the time, but it’s really tight time wise and you just don’t have the slack in the three hours to get stuck on something or to go back and validate your responses. That’s not an excuse by the way, I’ve said that before on VCAP exams I’ve passed.

In terms of exam content, it was pretty close to the blueprint, so the usual advice of read it thoroughly before you go in still stands true. A special mention for VMware Education for getting my results back in a couple of hours. I know a lot of effort has gone into streamlining the marking process and it is better to get the results quickly, even if it wasn’t the score you wanted.

How did I feel? Annoyed with myself, but also a bit surprised. My gut feeling was that I’d done enough to get through the exam and pass, but I hadn’t. That being said, I know of other very competent View folks who haven’t got past it first time either. I suppose if anything, it illustrates the value of the certification as it’s so hard (for me) to get.

I will be back to have another crack at it, but I have to wait 14 days now. I’ll probably need that long to recompose myself (no pun intended) and also to cover over ThinApp and other items that kicked my ass a bit. Anyone who thinks that you only need to know your way around View Administrator is in for a pretty rude awakening.

So then, to close, here are some words of advice :-

  • Follow the blueprint and look at the wording of the skills and abilities section carefully
  • Keep moving. You have three hours and it will go in a snap. If you are doing a task that requires an installer running, kick it off and move on to the next thing. It will buy you valuable minutes and you can go back to it later
  • Steve Dunne’s advice on re-sizing your remote screens to 1024 x 768 is a good one if you don’t have a large monitor
  • If you get the 5 minute warning and you haven’t finished and then you can’t click inside your remote session anymore, click the question tab and then click the top tab to get back to your remote session to restore control. I worked this out with about 45 seconds to go!
  • Use the study guides available, they’ve usually been written by folks who’ve been through the pain of the exam!
  • Run through all the objectives in your lab. If you can’t afford a home lab, use the VMware Hands On Labs and just play around there, I’m sure they won’t mind if you don’t stick to the script

25-07-14

VCAP-DTA Section 8 – Secure a View Implementation

Objective 8.1 – Configure and Deploy Certificates

Section 8 assumes we now have a fully upgraded and working View 5.2 pod and end users are happy as we’ve sorted out their clients. Now we have to circle back and look at ways of locking down and securing the View pod against unauthorised access.

  • Configure 2 Factor/Smart Card Authentication including truststore – 2 Factor authentication is configured on a per Connection Server basis. So go into View Administrator, select View Configuration, Servers and then the Connection Server tab. Select the Connection Server you want to configure for two factor authentication and select Edit. Click the Authentication tab and you’ll see the dialog as shown below.
    • You must first obtain the root Certificate Authority certificate from the CA being used to sign the certificates on the smart cards
    • Use the keytool utility to import the CA certificate into the server truststore file using the command syntax keytool -import -alias alias -file root_certificate -keystore truststorefile.key
    • Copy the truststore file into the sslgateway folder on either the Connection or Security Server, depending on the scenario. This is typically located at %PROGRAMFILES%\VMware\VMware View\Server\sslgateway\conf\
    • Smartcard authentication has three options in the drop down, Not Allowed, Optional, Required. Choose the appropriate option. You can also check the box to disconnect sessions on smart card removal, for added security.

2factor

 

 

  • In the Advanced Authentication section, choose whether 2 Factor authentication is Disabled, RSA SecurID or RADIUS. For exam purposes, I’m assuming it will be RADIUS as this is not a proprietary solution.

radius

  • With RADIUS selected, choose whether to Enforce 2-factor and Windows user name matching and/or Use the same user name and password for RADIUS and Windows authentication.
    • In the Authenticator drop box, choose Create New Authenticator and fill out the RADIUS server details similar to below:-

radius-server

 

  • Complete the wizard to finish the setup of RADIUS.

 

  • Configure and deploy View certificates – By default, View Connection and Security Servers use self signed certificates. This in itself is fine and will work, but you will see warnings in View Administrator to say these certificates aren’t trusted as they weren’t issued by a trusted Certificate Authority. In order to secure your Connection and Security servers, you will need to perform the following process:-
    • Create a Certificate Signing Request (CSR) from the server you wish to  add a trusted certificate to (you can use Windows certreq tool to do this). The View documentation has a request.inf file you can re-use for this purpose (certificate must be in PKCS12 format)
    • Obtain a signed certificate from the issuing CA
    • Verify the CSR and the private key are stored in the local computer’s certificate store by running certmgr.msc and looking in the Certificate Enrolment Request folder
    • Import the certificate into the local store using certreq -accept cert.cer
    • Once the certificate is imported, in Certificate Management, add the friendly name of vdm to the certificate and install the root CA and intermediate (if appropriate) certificate into the certificate store
    • Restart the Connection, Security or Composer Services for the changes to take effect
  • Configure certificate revocation checking using the locked.properties file – Certificate Revocation is another security step which prevents SSL certificates that have been listed as revoked by the issuer to be reused for secure services. In order to configure View to use certificate revocation lists (CRL), you need to amend the locked.properties file which can be found in %PROGRAMFILES%\VMware\VMware View\Server\sslgateway\conf\ with the following lines:-
    • enableRevocationChecking=true
      enableOCSP=true
      allowCertCRLs=true
      ocspSigningCert=te-ca.signing.cer
      ocspURL=http://te-ca.lonqa.int/ocsp
    • Where ocspURL is the URL of the OCSP Responder. Note the above is used for smartcard certificate checking, View server certificates have CRL checking built in.
    • If you are using your own CA and cannot include CRL information in the certificate, amend the CertificateRevocationCheckType registry key under HKLM\Software\VMware, Inc.\VMware VDM\Security and set the appropriate level as below:-
      • 1 – Do not perform CRL checking
      • 2 – Only check the server certificate, don’t check any other certificates in the chain
      • 3 – Check all certificates in the chain
      • 4 – Check all certificates except the root (default)
  • Perform a certificate replacement using sviconfig – Adding a certificate to  View Composer follows pretty much the same steps as above (Create CSR, get signed certificate, import certificate) but with one additional step. Stop the View Composer service and run the command sviconfig -operation=ReplaceCertificate -delete=false  to use the new certificate added to the local certificate store. The delete=false option is mandatory and false will not delete the old certificate from the Windows certificate store. Enter the number of the certificate you wish to use and then finally restart the View Composer service for all changes to take effect.

 

Objective 8.2 – Harden View Components and View Desktops

  • Open firewall ports used by View components – Regardless of whether you need to change the server or client end firewall settings, this is done via Firewall.cpl or Windows Firewall, depending on how you prefer to run these things. By default during View component installation, if the installer detects Windows Firewall is running, it will attempt to make the required firewall changes to allow View to operate, so ports such as 80, 443 (HTTP(s) for authentication), 1472 (PCoIP), 3389 (RDP), 32111 (USB redirection), 9427 (MMR), 4001 (JMS), 50002 (PCoIP). Verify these ports are enabled at both ends where appropriate and ensure the correct protocol is used (UDP or TCP). Chances are in the exam you’ll be asked to add a firewall rule to facilitate a connection. Also don’t forget there are three firewall profiles – domain, private and public networks. Make sure this doesn’t catch you out. To make changes to the Windows Firewall, select Allow a program or feature through Windows Firewall. All installed VMware services should be listed, add a tick box to which services you want to allow through, as shown below:-

Firewall

  • Disable Windows services – View has several services it uses in the normal course of operations, including:-
    • VMware View Connection Server
    • VMware View Framework Component
    • VMware View Script Host
    • VMwareVDMDS
  • Typically only the services required will be started automatically, but in the exam there may be a case of a service started that shouldn’t be, or vice versa. At  a glance, the prime suspect would appear to be VMware View Script host, which is usually disabled but must be enabled  if scripts are to be run against the server. To enable and disable services, go to Start | Run | services.msc. All View services are prefixed with “VMware”, so they’re all pretty easy to spot in the services list. Whichever service you wish to configure, right click and go Properties and change the Startup Type to Disabled, Manual or Automatic. You can also stop a service from this dialog.

services

 

  • Configure appropriate message security mode – Message security mode assigns security to JMS messages, which the method that View components use to communicate with each other. By default, this setting is enabled so all JMS messages that are not signed correctly are rejected. This can be amended to disabled or mixed, where message security is enabled but not enforced. Generally this setting is only required with legacy versions of View (3.0 or earlier). To configure this setting, go to View Administrator and then View Configuration | Global Settings | Security Pane Edit  and choose the required mode from the drop box as shown below:-

securitymode

  • Configure SSL for appropriate View functions – By default, View uses HTTPS redirection already for View client and administration traffic, in addition to Local Mode SSL encryption. As this is already enabled by default, I can only surmise that it will have been disabled somewhere for the purposes of the exam. Also, ensure the link to vCenter goes over port 443 and the View Composer port is 18443 by default, which is also secure. All of this is configured from View Administrator, under View Configuration | Servers. Select the vCenter Server or Connection Server you wish to configure and select Edit to make the required changes. The Local Mode settings are under the Connection Server under the Local Mode tab.
  • Configure secure tunneling – Secure tunneling is used when additional security or direct connections to the virtual desktops are not possible or desirable. All three protocol methods (RDP, PCoIP and HTML/Blast) have their own secure gateway tunnel and this is configured from within View Administrator. Go to View Configuration | Servers | Connection Servers and click Edit. From here, the General tab lists all gateways where they can be enabled/disabled and configured. Simply check the box next to the gateway to enable it and change any URLs/ports as required, as shown below. Remember the PCoIP Secure Tunnel URL Is always an IP address!

tunnels

 

  • Configure security settings in the View Agent Configuration Template – To configure security settings for the View Agent, you need to add the ADM template file into Group Policy Management (or you can add it in locally to your master image). The file is called vdm_agent.adm and can be found on the Connection Server under %PROGRAMFILES%\VMware\VMware View\Server\extras\GroupPolicyFiles. Once added into Group Policy Management, various options can be set as shown below, including:-
    • USB Configuration (allow/disallow USB device types, models etc.)
    • Agent Configuration (Commands to run on connect/reconnect etc.)
    • Agent Security (allow unencrypted connections from older legacy devices)

viewagent

 

 

VCAP-DTA Section 9 – Configure Persona Management for a View Implementation

 

Objective 9.1 – Deploy a Persona Management Solution

  • Create a Persona Management repository – To create a View Persona Management (VPM) respository, simply create a regular file share on a Windows server on the network. This can be a NAS device or a Windows Server, it doesn’t really matter. When creating the VPM share, note the following guidelines from the View Persona Management guide:-
    • The shared folder does not have to be in the same domain as View Connection Server
    • The shared folder must be in the same Active Directory forest as the users who store profiles in the shared folder
    • You must use a shared drive that is large enough to store the user profile information for your users. To support a large View deployment, you can configure separate repositories for different desktop pools
      • If users are entitled to more than one pool, the pools that share users must be configured with the same profile repository. If you entitle a user to two pools with two different profile repositories, the user cannot access the same version of the profile from desktops in each pool
    • You must create the full profile path under which the user profile folders will be created. If part of the path does not exist, Windows creates the missing folders when the first user logs in and assigns the user’s security restrictions to those folders. Windows assigns the same security restrictions to every folder it creates under that path
      • For example, for user1 you might configure the View Persona Management path \\server\VPRepository\profiles\user1. If you create the network share \\server\VPRepository, and the profiles folder does not exist, Windows creates the path \profiles\user1 when user1 logs in. Windows restricts access to the \profiles\user1 folders to the user1 account. If another user logs in with a profile path in\\server\VPRepository\profiles, the second user cannot access the repository and the user’s profile fails to be replicated
  • Implement optimized Persona Management GPOs – To add VPM group policies, you first need to add in the ADM template file to Group Policy Management. You can add it locally to a parent image, but then you will lose management control. To enable management domain wide, adding the template into Group Policy Management and linking it to an OU in Active Directory is preferred. The ADM template is called ViewPM.adm and can be found on a Connection Server under %PROGRAMFILES%\VMware\VMware View\Server\extras\GroupPolicyFiles. Once added into Group Policy Management, the following settings folders are available:-
    • Roaming and synchronization
    • Folder redirection
    • Desktop UI
    • Logging
  • There are dozens of different settings available to VPM in the group policy, so the exam will probably have some specific requirements on you to configure. Two settings you will need are the first settings in the Roaming and synchronization folder, Manage User Persona and Persona Repository Location. Set the first setting to Enabled to switch on VPM, and here you can change the default synch period from 10 minutes to something else. For Persona Repository Location, set this to Enabled and configure the UNC path to the share you previously configured, \\dc01.beckett.local\VPRepository for example.

vpmsync

  • Implement optimized Windows Roaming Profiles with Persona Management – There may be some cases whereby you do not want to constantly sync parts of the user profile every 10 minutes using VPM. Perhaps there is an application dependency. What you can do within the GPO is set some folders to be exempt from the ongoing sync process and only sync the changes to the VPM repository when a user logs off. To do this, go to your VPM group policy and set folder exceptions as shown below:-

syncexceptions

 

Objective 9.2 – Migrate a Windows Profile

 

  • Ensure pre-requisites are met for a profile migration – The pre-requisites from the View Admin guide are listed below:-
    • Run the migration utility on a Windows 7 or Windows 8 physical computer or virtual machine
    • Log in to the Windows 7 or Windows 8 system as a local administrator
    • Verify that the system on which you run the utility has network access to the CIFS network shares that contain the source V1 path and destination V2 path
    • Verify that the user account that runs the utility is a local administrator on the destination CIFS network share
    • If the user account that runs the utility does not have full ownership of the user profiles that are migrated, specify the /takeownership option with the utility
      • This option passes ownership of the user profile folders to the utility during the migration. Ownership is returned to the users after the migration is completed
    • Ensure that the users whose profiles are being migrated are not logged in to their Windows XP systems when you initiate the migration
      • If a user is in an active session during the migration, the migration might fail
    • Ensure that users do not start using their Windows 7 or Windows 8 desktops before the migration is completed
      • When users start using their View desktops, View Persona Management creates V2 profiles for the users. If a V2 profile already exists before the migration runs, the utility leaves the existing V2 profile in place and does not migrate the legacy V1 profile
  • Perform profile migration using migprofile.exe – The migprofile.exe utility is installed with the View Agent and can be found under %PROGRAMFILES%\VMware\VMware View\Agent\bin or can be installed standalone. The utility can be used to migrate V1 profiles (Windows XP) en masse from a shared repository to another repository in V2 format, or used on a piecemeal basis to upgrade a user at a time, if required. The examples below are taken from the View Persona Management guide:-
    • migprofile.exe /s:\\file01\profiles\* /takeownership performs an in-place upgrade of profiles on a network share from V1 format to V2. The latter have the .V2 extension added to the profile folder

    • The following example migrates the V1 profile for the user ts115 on the computer devvm-winxp to the remote path \\file01\profiles. The utility takes ownership of the user profiles during the migration:

      migprofile.exe /s:\\devvm-winxp\c$\documents and settings\ts115 /t:\\file01\profiles\ /takeownership

  • Modify migration configuration file – The migprofile.exe utility can also apply settings from a settings file written in XML. This file uses XML tags to pre-populate migration settings and can be named anything as long as it has an XML extension. Using this settings file is specified on the command line when running the migration utility and for full details on the XML file format, please refer to VMware’s online guide. Typical tags include:-
    • <source> <profilepath>source_profile_path</profilepath> </source>

    • <target> <profilepath>target_profile_path</profilepath> </target>

    • <includefolders>Personal, Desktop, Start Menu, NetHood</includefolders> (Migrates only specified folders instead of all except Cache, History and Local AppData, by default)

  • To run the migration utility with a settings.xml file, use the following syntax:-
    • migprofile.exe migsettings.xml (where the latter file name is your settings file)

 

Section 10 – Troubleshoot a View Implementation

 

Objective 10.1 – Troubleshoot View Pool creation and administration issues

 

Interestingly, the exam blueprint doesn’t give you any real pointers as to what skills and abilities are being measured for this objective, so let’s have fun and speculate on some things that might occur that we need to troubleshoot during pool creation and administrative tasks:-

  • Pool provisioning fails
    • Check storage space
    • Storage overcommit on linked clones
    • View Agent is installed properly
    • DNS resolution is working
    • Windows Firewall issues
    • View Composer service is available
    • Users have entitlements to the pool
    • User creating the pool has the correct permissions in View Administrator
    • Drill into the pool in View Administrator and check the Events tab for hints as to what’s wrong
  • Administration Issues
    • Check the View Connection Server service is running
    • Check Adobe Flash is installed in the browser
    • Check the user has appropriate permissions
    • Check the web browser is supported (chances are remote, but you never know)
    • Check View Administrator session timeout (default is 30 minutes)
    • Dashboard not updating – check Enable Automatic Status Updates is enabled in View Administrator
    • Red lights in View Administrator dashboard – drill into them to get the events view to see what is wrong
    • Verify vCenter permissions for any service accounts used for vCenter access, Composer provisioning etc.

 

Objective 10.2 – Troubleshoot View administration management framework issues

  • Potential Framework Issues
    • Can’t access View Administrator – check View Component Framework is running
    • Can’t access View Administrator – check View Web Component service is running
    • No Events being logged to the Events Database – check the Event Configuration is correct in View Administrator and SQL is up
    • View not sending messages to Syslog server – check Syslog configuration under Event Configuration section

Objective 10.3 – Troubleshoot end user access

 

  • Potential End User Issues
    • Check Windows Firewall at both ends that ports 80,443,4172,3389 are open as a minimum
    • Check the pairing between the Security and Connection Servers if appropriate
    • Check tagging and that tag matching is providing the expected result
    • Check certificate verification on the View Client is set appropriately
    • Perform connectivity tests such as ping, nslookup etc
    • Check the Connection Server service is running
    • Check user entitlements to pools and desktops
    • Check power settings and the user desktop has not gone into suspend mode or hibernation
    • Check there are spare desktops provisioned and ready in a pool
    • Verify display protocols are correctly matched at each end (PCoIP, RDP etc)

Objective 10.4 – Troubleshoot network, storage, and vSphere infrastructure related to View

 

  • Potential Infrastructure Related Issues
    • Check alarms in vCenter for any hardware issues
    • Check access to vCenter for the Connection Server and View Composer
    • Check vCenter permissions for service accounts, if they’re used
    • Check host contention on ESXi hosts
    • Check disk latencies on datastores if desktops are slow
    • Verify connectivity between Connection Servers and Security Servers and ensure 1Gbps links between all
    • Check SQL is healthy
    • Check vSwitch settings are correct and there are no typos (VLAN numbers, Port Group names etc.)
    • Check all vSwitch uplinks are working correctly
    • Check for restrictions placed on virtual desktops by resource pool settings, DRS/HA etc not artificially constraining desktops
    • Check Storage or Network I/O Control policies are not slowing the infrastructure down

 

 

24-07-14

VCAP-DTA Section 7 – Configure and Optimize View Endpoints

Objective 7.1 – Perform View Client Installations

  • Perform manual installation for desktop clients – I don’t think I’m stretching it by saying that I don’t think you’ll be asked to install the client to an Android or iOS device during the exam (after all, how can the moderators check that?). That then takes us to Mac, Linux and Windows. Again, as the EULA says you can’t install a virtual Mac, seems unlikely that will appear. That leaves Linux and Windows and as there aren’t typically that many Linux users around, I’d expect to just have to deploy the client on Windows. To install the Windows client manually, you typically go to the Connection Server from a web browser from the device you want to install the client on, and the browser should detect if you have the client or not. As the download link redirects you to vmware.com, it’s likely the installation files will have been staged in advance to save time.

viewlcinert

  • Once the client has been downloaded, run the client executable and click next to continue.
    • Accept the EULA and click Next.
    • Choose which client features you want, by default both USB Redirection and Login as current User are checked (the exam may ask you to disable some of these features).
    • Optionally enter the DNS name or IP address of the View Connection Server you want to connect to. Click Next.
    • Select single sign on behaviour, such as Show in Connection Dialog and Set Default Option to Login as Current User.
    • Click Next, choose where to place shortcuts (if required).
    • Click Next and click Install to complete.

 

  • Configure silent installation options for desktop clients – To install the Windows client silently, execute the command line below, noting ADDLOCAL=CORE is mandatory!VMware-viewclient-y.y.yxxxxxx.exe /s /v”/qn REBOOT=ReallySuppress VDM_SERVER=cs1.companydomain.com ADDLOCAL=Core,TSSO,USB”
  •  Configure options for various clients – I’m not really sure what more can be added here. The View Client is generally a fairly simple beast, so really all I can think you may be asked to perform is to disable certificate checking (Options | Configure SSL). There is also a View Client ADM template you can import and use, and various settings can be configured here if you want to lock things down. There’s a good chance you’ll be asked to check something on the exam, so worth knowing what it’s capabilities are. The template settings guide is here, some example settings are shown below:-
    • Connect all USB devices to the desktop on launch (useful when the user has a couple of USB printers, scanners or smart card readers)
    • Server URL – Issues a default View Connection Server URL for the View Client
    • Certificate verification mode – Configures SSL certificate checking as noted above
    • Enable multi-media acceleration – Enables MMR on the client
  • There aren’t that many admin template options to configure, so hopefully any exam question on this topic won’t hold you back too long. Just remember that some settings are for RDP only, so again watch out for sly tricks from the exam people!

 

Objective 7.2 – Upgrade View Clients

Again I’d expect that you’ll probably only be asked to play around with Windows View Clients, as other platforms in my experience make up the minority of users. Also, setting up non Windows platforms in a lab environment is probably a bit of a pain for VMware Education. As such, we’ll just focus on the Windows Client upgrades.

  • Upgrade clients to support View server component upgrades  – Typically the back end components are upgraded first, so Connection and Security Servers, vCenter/ESXi if appropriate and the View Agent in the virtual desktop. Once that has been done, the focus changes to the end user’s View Client. This process is very quick and is simply a case of downloading the new client (either from the View Portal or elsewhere, I’m guessing it will be pre-staged for you) and running the installer. As we’ve all done client installers before and there are no gotchas here, I’m not going to document it blow by blow.
  • Identify which clients are supported by VMware or OEMs – Again another pretty straight forward skill being tested. The rule of thumb here is that if the client is a “fat” device (so Windows, Linux or Mac desktop or iOS/Android mobile device) then the administrator can upgrade the client by using the appropriate installation mechanism (Windows Installer, RPM, iTunes etc.). If the client is a thin or zero client, updates to the client will generally come from the manufacturer in the form of firmware updates. I’m not entirely sure how this skill can be effectively tested in a practical environment, but there you go.
  • Identify which clients are administrator or user downloadable – The View Portal is the place for end users to get the View Client and these links will usually send the end user to vmware.com to download the latest and greatest. So again, “fat” clients are generally user upgradable with appropriate permissions (administrator on Windows, for example) and thin clients where updates are performed by firmware updates are something only an administrator would do.
  • Perform View Local Mode Client upgrade – Upgrading the View Client with Local Mode option is more or less the same as upgrading the regular View Client with a couple of exceptions. Firstly, you need to ensure the user has checked in their desktop before upgrading the client. If the end user has a View Client version 4.6.0 or earlier, they must check in their desktop first, remove the old client and then install the 5.2 client fresh once the back end desktop infrastructure has been upgraded.