14-08-14

VCAP-DTA Exam Experience (Redux)

So I got back about an hour ago from my second sitting of the VCAP-DTA exam in Leeds. As regular readers will know, I sat it a couple of weeks ago and failed. The score report I got back gave me some suggestions on the areas I wasn’t quite so hot on, so I spent some extra time going back over those and making sure I understood them (two factor authentication and group policy settings to name but two). I had the mindset that if I didn’t pass it today, it would be a would be a while before I’d be back as my employer wants me to get up to speed with the latest MCSE track and quickly, meaning I wouldn’t have the bandwidth (or the mental capacity!) to take on both at the same time.

Nor did it help that I was running a little late, I’d had a coffee and an early lunch because as usual, my appointment spanned over lunch time and I didn’t want to get hungry. By the time I set off for the test centre, it was getting close to my appointment time start so I had to run the last couple of hundred yards to make it on time. With that and a coffee swilling around inside me, my eyes were on stalks when the exam started!

I’m not sure how large the pool of questions is, but I did get a few I’d had previously, including some I came a little unstuck on. I tried to move on if I felt I was getting bogged down, with the intention of picking up as many points as possible elsewhere. Somewhat surprisingly, by the time I’d completed question 23, I still had 30 minutes left. So I went back, quickly checking my answers and referring to the admin guide on the ones I was stuck on.

It turned out to be a pretty effective strategy, although I did go back to delete and restart one “answer” I’d started and then ran out of time, as the desktop refresh was a little laggier than last time, and I couldn’t quite complete the task in time.

I came out feeling tense as I thought I’d passed last time and didn’t,  and I was mindful that I hadn’t completed all tasks with the loss of points that entails. Anyway, I got the score report back quickly again (thanks Joshua!) and this time thankfully I’ve passed! So now I have four VCAPs and I can afford to dream of the far off pot of gold that is the VCDX. I’m not going to think about that yet, as I’ve a box full of Microsoft exams to get done before I can get to that. Still, in the words of Peter Venkman, “we came, we saw, we kicked it’s ASS!”

 

G-1136 - We came, we saw, we kicked its ass

 

Advertisements

30-07-14

VCAP-DTA Consolidated Study Guide 1.4 Available

 

download

 

I did promise on Twitter last week that once I’d got the exam out of the way, I’d take the study notes I’d written so far and put them into one document for easier (and offline) reading. Well I’ve done that. Turns out it was a lot more effort than I thought, but it’s now available from the link in the top menu bar on the VF homepage. There may be errors or typos in there, I checked it the best I could. If you spot anything, let me know via Twitter and I will try and correct it once I’ve validated it.

I’m also writing some exam questions that follow the exam blueprint. Nothing special, but it will hopefully just jog your memory enough to make sure you understand the things you’re being tested on. That’s coming along nicely and should be available by the week’s end.

Hopefully you will find the study guide of use for the exam, all feedback is welcome as I improve it.

 

28-07-14

VCAP-DTA Exam Experience

As most regular readers will know, I sat the VCAP-DTA exam last Friday. The short version is I failed. Only by a few points, but first is first and second is nowhere, as they say. I’d been studying for the exam on and off for seven months and I felt reasonably well prepared for it, but like all good exams, it found my weaker spots and probed them mercilessly.

As usual, I had to travel over the Pennines to Leeds to my nearest VCAP test centre. I don’t mind that so much, it’s an air conditioned train and I can get some quiet time to go back over my study notes and make sure I’ve got it all fresh in my mind. The exam itself is 23 questions (many with subtasks) over 3 hours. I say this all the time, but it’s really tight time wise and you just don’t have the slack in the three hours to get stuck on something or to go back and validate your responses. That’s not an excuse by the way, I’ve said that before on VCAP exams I’ve passed.

In terms of exam content, it was pretty close to the blueprint, so the usual advice of read it thoroughly before you go in still stands true. A special mention for VMware Education for getting my results back in a couple of hours. I know a lot of effort has gone into streamlining the marking process and it is better to get the results quickly, even if it wasn’t the score you wanted.

How did I feel? Annoyed with myself, but also a bit surprised. My gut feeling was that I’d done enough to get through the exam and pass, but I hadn’t. That being said, I know of other very competent View folks who haven’t got past it first time either. I suppose if anything, it illustrates the value of the certification as it’s so hard (for me) to get.

I will be back to have another crack at it, but I have to wait 14 days now. I’ll probably need that long to recompose myself (no pun intended) and also to cover over ThinApp and other items that kicked my ass a bit. Anyone who thinks that you only need to know your way around View Administrator is in for a pretty rude awakening.

So then, to close, here are some words of advice :-

  • Follow the blueprint and look at the wording of the skills and abilities section carefully
  • Keep moving. You have three hours and it will go in a snap. If you are doing a task that requires an installer running, kick it off and move on to the next thing. It will buy you valuable minutes and you can go back to it later
  • Steve Dunne’s advice on re-sizing your remote screens to 1024 x 768 is a good one if you don’t have a large monitor
  • If you get the 5 minute warning and you haven’t finished and then you can’t click inside your remote session anymore, click the question tab and then click the top tab to get back to your remote session to restore control. I worked this out with about 45 seconds to go!
  • Use the study guides available, they’ve usually been written by folks who’ve been through the pain of the exam!
  • Run through all the objectives in your lab. If you can’t afford a home lab, use the VMware Hands On Labs and just play around there, I’m sure they won’t mind if you don’t stick to the script

25-07-14

VCAP-DTA Section 8 – Secure a View Implementation

Objective 8.1 – Configure and Deploy Certificates

Section 8 assumes we now have a fully upgraded and working View 5.2 pod and end users are happy as we’ve sorted out their clients. Now we have to circle back and look at ways of locking down and securing the View pod against unauthorised access.

  • Configure 2 Factor/Smart Card Authentication including truststore – 2 Factor authentication is configured on a per Connection Server basis. So go into View Administrator, select View Configuration, Servers and then the Connection Server tab. Select the Connection Server you want to configure for two factor authentication and select Edit. Click the Authentication tab and you’ll see the dialog as shown below.
    • You must first obtain the root Certificate Authority certificate from the CA being used to sign the certificates on the smart cards
    • Use the keytool utility to import the CA certificate into the server truststore file using the command syntax keytool -import -alias alias -file root_certificate -keystore truststorefile.key
    • Copy the truststore file into the sslgateway folder on either the Connection or Security Server, depending on the scenario. This is typically located at %PROGRAMFILES%\VMware\VMware View\Server\sslgateway\conf\
    • Smartcard authentication has three options in the drop down, Not Allowed, Optional, Required. Choose the appropriate option. You can also check the box to disconnect sessions on smart card removal, for added security.

2factor

 

 

  • In the Advanced Authentication section, choose whether 2 Factor authentication is Disabled, RSA SecurID or RADIUS. For exam purposes, I’m assuming it will be RADIUS as this is not a proprietary solution.

radius

  • With RADIUS selected, choose whether to Enforce 2-factor and Windows user name matching and/or Use the same user name and password for RADIUS and Windows authentication.
    • In the Authenticator drop box, choose Create New Authenticator and fill out the RADIUS server details similar to below:-

radius-server

 

  • Complete the wizard to finish the setup of RADIUS.

 

  • Configure and deploy View certificates – By default, View Connection and Security Servers use self signed certificates. This in itself is fine and will work, but you will see warnings in View Administrator to say these certificates aren’t trusted as they weren’t issued by a trusted Certificate Authority. In order to secure your Connection and Security servers, you will need to perform the following process:-
    • Create a Certificate Signing Request (CSR) from the server you wish to  add a trusted certificate to (you can use Windows certreq tool to do this). The View documentation has a request.inf file you can re-use for this purpose (certificate must be in PKCS12 format)
    • Obtain a signed certificate from the issuing CA
    • Verify the CSR and the private key are stored in the local computer’s certificate store by running certmgr.msc and looking in the Certificate Enrolment Request folder
    • Import the certificate into the local store using certreq -accept cert.cer
    • Once the certificate is imported, in Certificate Management, add the friendly name of vdm to the certificate and install the root CA and intermediate (if appropriate) certificate into the certificate store
    • Restart the Connection, Security or Composer Services for the changes to take effect
  • Configure certificate revocation checking using the locked.properties file – Certificate Revocation is another security step which prevents SSL certificates that have been listed as revoked by the issuer to be reused for secure services. In order to configure View to use certificate revocation lists (CRL), you need to amend the locked.properties file which can be found in %PROGRAMFILES%\VMware\VMware View\Server\sslgateway\conf\ with the following lines:-
    • enableRevocationChecking=true
      enableOCSP=true
      allowCertCRLs=true
      ocspSigningCert=te-ca.signing.cer
      ocspURL=http://te-ca.lonqa.int/ocsp
    • Where ocspURL is the URL of the OCSP Responder. Note the above is used for smartcard certificate checking, View server certificates have CRL checking built in.
    • If you are using your own CA and cannot include CRL information in the certificate, amend the CertificateRevocationCheckType registry key under HKLM\Software\VMware, Inc.\VMware VDM\Security and set the appropriate level as below:-
      • 1 – Do not perform CRL checking
      • 2 – Only check the server certificate, don’t check any other certificates in the chain
      • 3 – Check all certificates in the chain
      • 4 – Check all certificates except the root (default)
  • Perform a certificate replacement using sviconfig – Adding a certificate to  View Composer follows pretty much the same steps as above (Create CSR, get signed certificate, import certificate) but with one additional step. Stop the View Composer service and run the command sviconfig -operation=ReplaceCertificate -delete=false  to use the new certificate added to the local certificate store. The delete=false option is mandatory and false will not delete the old certificate from the Windows certificate store. Enter the number of the certificate you wish to use and then finally restart the View Composer service for all changes to take effect.

 

Objective 8.2 – Harden View Components and View Desktops

  • Open firewall ports used by View components – Regardless of whether you need to change the server or client end firewall settings, this is done via Firewall.cpl or Windows Firewall, depending on how you prefer to run these things. By default during View component installation, if the installer detects Windows Firewall is running, it will attempt to make the required firewall changes to allow View to operate, so ports such as 80, 443 (HTTP(s) for authentication), 1472 (PCoIP), 3389 (RDP), 32111 (USB redirection), 9427 (MMR), 4001 (JMS), 50002 (PCoIP). Verify these ports are enabled at both ends where appropriate and ensure the correct protocol is used (UDP or TCP). Chances are in the exam you’ll be asked to add a firewall rule to facilitate a connection. Also don’t forget there are three firewall profiles – domain, private and public networks. Make sure this doesn’t catch you out. To make changes to the Windows Firewall, select Allow a program or feature through Windows Firewall. All installed VMware services should be listed, add a tick box to which services you want to allow through, as shown below:-

Firewall

  • Disable Windows services – View has several services it uses in the normal course of operations, including:-
    • VMware View Connection Server
    • VMware View Framework Component
    • VMware View Script Host
    • VMwareVDMDS
  • Typically only the services required will be started automatically, but in the exam there may be a case of a service started that shouldn’t be, or vice versa. At  a glance, the prime suspect would appear to be VMware View Script host, which is usually disabled but must be enabled  if scripts are to be run against the server. To enable and disable services, go to Start | Run | services.msc. All View services are prefixed with “VMware”, so they’re all pretty easy to spot in the services list. Whichever service you wish to configure, right click and go Properties and change the Startup Type to Disabled, Manual or Automatic. You can also stop a service from this dialog.

services

 

  • Configure appropriate message security mode – Message security mode assigns security to JMS messages, which the method that View components use to communicate with each other. By default, this setting is enabled so all JMS messages that are not signed correctly are rejected. This can be amended to disabled or mixed, where message security is enabled but not enforced. Generally this setting is only required with legacy versions of View (3.0 or earlier). To configure this setting, go to View Administrator and then View Configuration | Global Settings | Security Pane Edit  and choose the required mode from the drop box as shown below:-

securitymode

  • Configure SSL for appropriate View functions – By default, View uses HTTPS redirection already for View client and administration traffic, in addition to Local Mode SSL encryption. As this is already enabled by default, I can only surmise that it will have been disabled somewhere for the purposes of the exam. Also, ensure the link to vCenter goes over port 443 and the View Composer port is 18443 by default, which is also secure. All of this is configured from View Administrator, under View Configuration | Servers. Select the vCenter Server or Connection Server you wish to configure and select Edit to make the required changes. The Local Mode settings are under the Connection Server under the Local Mode tab.
  • Configure secure tunneling – Secure tunneling is used when additional security or direct connections to the virtual desktops are not possible or desirable. All three protocol methods (RDP, PCoIP and HTML/Blast) have their own secure gateway tunnel and this is configured from within View Administrator. Go to View Configuration | Servers | Connection Servers and click Edit. From here, the General tab lists all gateways where they can be enabled/disabled and configured. Simply check the box next to the gateway to enable it and change any URLs/ports as required, as shown below. Remember the PCoIP Secure Tunnel URL Is always an IP address!

tunnels

 

  • Configure security settings in the View Agent Configuration Template – To configure security settings for the View Agent, you need to add the ADM template file into Group Policy Management (or you can add it in locally to your master image). The file is called vdm_agent.adm and can be found on the Connection Server under %PROGRAMFILES%\VMware\VMware View\Server\extras\GroupPolicyFiles. Once added into Group Policy Management, various options can be set as shown below, including:-
    • USB Configuration (allow/disallow USB device types, models etc.)
    • Agent Configuration (Commands to run on connect/reconnect etc.)
    • Agent Security (allow unencrypted connections from older legacy devices)

viewagent

 

 

VCAP-DTA Section 9 – Configure Persona Management for a View Implementation

 

Objective 9.1 – Deploy a Persona Management Solution

  • Create a Persona Management repository – To create a View Persona Management (VPM) respository, simply create a regular file share on a Windows server on the network. This can be a NAS device or a Windows Server, it doesn’t really matter. When creating the VPM share, note the following guidelines from the View Persona Management guide:-
    • The shared folder does not have to be in the same domain as View Connection Server
    • The shared folder must be in the same Active Directory forest as the users who store profiles in the shared folder
    • You must use a shared drive that is large enough to store the user profile information for your users. To support a large View deployment, you can configure separate repositories for different desktop pools
      • If users are entitled to more than one pool, the pools that share users must be configured with the same profile repository. If you entitle a user to two pools with two different profile repositories, the user cannot access the same version of the profile from desktops in each pool
    • You must create the full profile path under which the user profile folders will be created. If part of the path does not exist, Windows creates the missing folders when the first user logs in and assigns the user’s security restrictions to those folders. Windows assigns the same security restrictions to every folder it creates under that path
      • For example, for user1 you might configure the View Persona Management path \\server\VPRepository\profiles\user1. If you create the network share \\server\VPRepository, and the profiles folder does not exist, Windows creates the path \profiles\user1 when user1 logs in. Windows restricts access to the \profiles\user1 folders to the user1 account. If another user logs in with a profile path in\\server\VPRepository\profiles, the second user cannot access the repository and the user’s profile fails to be replicated
  • Implement optimized Persona Management GPOs – To add VPM group policies, you first need to add in the ADM template file to Group Policy Management. You can add it locally to a parent image, but then you will lose management control. To enable management domain wide, adding the template into Group Policy Management and linking it to an OU in Active Directory is preferred. The ADM template is called ViewPM.adm and can be found on a Connection Server under %PROGRAMFILES%\VMware\VMware View\Server\extras\GroupPolicyFiles. Once added into Group Policy Management, the following settings folders are available:-
    • Roaming and synchronization
    • Folder redirection
    • Desktop UI
    • Logging
  • There are dozens of different settings available to VPM in the group policy, so the exam will probably have some specific requirements on you to configure. Two settings you will need are the first settings in the Roaming and synchronization folder, Manage User Persona and Persona Repository Location. Set the first setting to Enabled to switch on VPM, and here you can change the default synch period from 10 minutes to something else. For Persona Repository Location, set this to Enabled and configure the UNC path to the share you previously configured, \\dc01.beckett.local\VPRepository for example.

vpmsync

  • Implement optimized Windows Roaming Profiles with Persona Management – There may be some cases whereby you do not want to constantly sync parts of the user profile every 10 minutes using VPM. Perhaps there is an application dependency. What you can do within the GPO is set some folders to be exempt from the ongoing sync process and only sync the changes to the VPM repository when a user logs off. To do this, go to your VPM group policy and set folder exceptions as shown below:-

syncexceptions

 

Objective 9.2 – Migrate a Windows Profile

 

  • Ensure pre-requisites are met for a profile migration – The pre-requisites from the View Admin guide are listed below:-
    • Run the migration utility on a Windows 7 or Windows 8 physical computer or virtual machine
    • Log in to the Windows 7 or Windows 8 system as a local administrator
    • Verify that the system on which you run the utility has network access to the CIFS network shares that contain the source V1 path and destination V2 path
    • Verify that the user account that runs the utility is a local administrator on the destination CIFS network share
    • If the user account that runs the utility does not have full ownership of the user profiles that are migrated, specify the /takeownership option with the utility
      • This option passes ownership of the user profile folders to the utility during the migration. Ownership is returned to the users after the migration is completed
    • Ensure that the users whose profiles are being migrated are not logged in to their Windows XP systems when you initiate the migration
      • If a user is in an active session during the migration, the migration might fail
    • Ensure that users do not start using their Windows 7 or Windows 8 desktops before the migration is completed
      • When users start using their View desktops, View Persona Management creates V2 profiles for the users. If a V2 profile already exists before the migration runs, the utility leaves the existing V2 profile in place and does not migrate the legacy V1 profile
  • Perform profile migration using migprofile.exe – The migprofile.exe utility is installed with the View Agent and can be found under %PROGRAMFILES%\VMware\VMware View\Agent\bin or can be installed standalone. The utility can be used to migrate V1 profiles (Windows XP) en masse from a shared repository to another repository in V2 format, or used on a piecemeal basis to upgrade a user at a time, if required. The examples below are taken from the View Persona Management guide:-
    • migprofile.exe /s:\\file01\profiles\* /takeownership performs an in-place upgrade of profiles on a network share from V1 format to V2. The latter have the .V2 extension added to the profile folder

    • The following example migrates the V1 profile for the user ts115 on the computer devvm-winxp to the remote path \\file01\profiles. The utility takes ownership of the user profiles during the migration:

      migprofile.exe /s:\\devvm-winxp\c$\documents and settings\ts115 /t:\\file01\profiles\ /takeownership

  • Modify migration configuration file – The migprofile.exe utility can also apply settings from a settings file written in XML. This file uses XML tags to pre-populate migration settings and can be named anything as long as it has an XML extension. Using this settings file is specified on the command line when running the migration utility and for full details on the XML file format, please refer to VMware’s online guide. Typical tags include:-
    • <source> <profilepath>source_profile_path</profilepath> </source>

    • <target> <profilepath>target_profile_path</profilepath> </target>

    • <includefolders>Personal, Desktop, Start Menu, NetHood</includefolders> (Migrates only specified folders instead of all except Cache, History and Local AppData, by default)

  • To run the migration utility with a settings.xml file, use the following syntax:-
    • migprofile.exe migsettings.xml (where the latter file name is your settings file)

 

Section 10 – Troubleshoot a View Implementation

 

Objective 10.1 – Troubleshoot View Pool creation and administration issues

 

Interestingly, the exam blueprint doesn’t give you any real pointers as to what skills and abilities are being measured for this objective, so let’s have fun and speculate on some things that might occur that we need to troubleshoot during pool creation and administrative tasks:-

  • Pool provisioning fails
    • Check storage space
    • Storage overcommit on linked clones
    • View Agent is installed properly
    • DNS resolution is working
    • Windows Firewall issues
    • View Composer service is available
    • Users have entitlements to the pool
    • User creating the pool has the correct permissions in View Administrator
    • Drill into the pool in View Administrator and check the Events tab for hints as to what’s wrong
  • Administration Issues
    • Check the View Connection Server service is running
    • Check Adobe Flash is installed in the browser
    • Check the user has appropriate permissions
    • Check the web browser is supported (chances are remote, but you never know)
    • Check View Administrator session timeout (default is 30 minutes)
    • Dashboard not updating – check Enable Automatic Status Updates is enabled in View Administrator
    • Red lights in View Administrator dashboard – drill into them to get the events view to see what is wrong
    • Verify vCenter permissions for any service accounts used for vCenter access, Composer provisioning etc.

 

Objective 10.2 – Troubleshoot View administration management framework issues

  • Potential Framework Issues
    • Can’t access View Administrator – check View Component Framework is running
    • Can’t access View Administrator – check View Web Component service is running
    • No Events being logged to the Events Database – check the Event Configuration is correct in View Administrator and SQL is up
    • View not sending messages to Syslog server – check Syslog configuration under Event Configuration section

Objective 10.3 – Troubleshoot end user access

 

  • Potential End User Issues
    • Check Windows Firewall at both ends that ports 80,443,4172,3389 are open as a minimum
    • Check the pairing between the Security and Connection Servers if appropriate
    • Check tagging and that tag matching is providing the expected result
    • Check certificate verification on the View Client is set appropriately
    • Perform connectivity tests such as ping, nslookup etc
    • Check the Connection Server service is running
    • Check user entitlements to pools and desktops
    • Check power settings and the user desktop has not gone into suspend mode or hibernation
    • Check there are spare desktops provisioned and ready in a pool
    • Verify display protocols are correctly matched at each end (PCoIP, RDP etc)

Objective 10.4 – Troubleshoot network, storage, and vSphere infrastructure related to View

 

  • Potential Infrastructure Related Issues
    • Check alarms in vCenter for any hardware issues
    • Check access to vCenter for the Connection Server and View Composer
    • Check vCenter permissions for service accounts, if they’re used
    • Check host contention on ESXi hosts
    • Check disk latencies on datastores if desktops are slow
    • Verify connectivity between Connection Servers and Security Servers and ensure 1Gbps links between all
    • Check SQL is healthy
    • Check vSwitch settings are correct and there are no typos (VLAN numbers, Port Group names etc.)
    • Check all vSwitch uplinks are working correctly
    • Check for restrictions placed on virtual desktops by resource pool settings, DRS/HA etc not artificially constraining desktops
    • Check Storage or Network I/O Control policies are not slowing the infrastructure down

 

 

24-07-14

VCAP-DTA Section 7 – Configure and Optimize View Endpoints

Objective 7.1 – Perform View Client Installations

  • Perform manual installation for desktop clients – I don’t think I’m stretching it by saying that I don’t think you’ll be asked to install the client to an Android or iOS device during the exam (after all, how can the moderators check that?). That then takes us to Mac, Linux and Windows. Again, as the EULA says you can’t install a virtual Mac, seems unlikely that will appear. That leaves Linux and Windows and as there aren’t typically that many Linux users around, I’d expect to just have to deploy the client on Windows. To install the Windows client manually, you typically go to the Connection Server from a web browser from the device you want to install the client on, and the browser should detect if you have the client or not. As the download link redirects you to vmware.com, it’s likely the installation files will have been staged in advance to save time.

viewlcinert

  • Once the client has been downloaded, run the client executable and click next to continue.
    • Accept the EULA and click Next.
    • Choose which client features you want, by default both USB Redirection and Login as current User are checked (the exam may ask you to disable some of these features).
    • Optionally enter the DNS name or IP address of the View Connection Server you want to connect to. Click Next.
    • Select single sign on behaviour, such as Show in Connection Dialog and Set Default Option to Login as Current User.
    • Click Next, choose where to place shortcuts (if required).
    • Click Next and click Install to complete.

 

  • Configure silent installation options for desktop clients – To install the Windows client silently, execute the command line below, noting ADDLOCAL=CORE is mandatory!VMware-viewclient-y.y.yxxxxxx.exe /s /v”/qn REBOOT=ReallySuppress VDM_SERVER=cs1.companydomain.com ADDLOCAL=Core,TSSO,USB”
  •  Configure options for various clients – I’m not really sure what more can be added here. The View Client is generally a fairly simple beast, so really all I can think you may be asked to perform is to disable certificate checking (Options | Configure SSL). There is also a View Client ADM template you can import and use, and various settings can be configured here if you want to lock things down. There’s a good chance you’ll be asked to check something on the exam, so worth knowing what it’s capabilities are. The template settings guide is here, some example settings are shown below:-
    • Connect all USB devices to the desktop on launch (useful when the user has a couple of USB printers, scanners or smart card readers)
    • Server URL – Issues a default View Connection Server URL for the View Client
    • Certificate verification mode – Configures SSL certificate checking as noted above
    • Enable multi-media acceleration – Enables MMR on the client
  • There aren’t that many admin template options to configure, so hopefully any exam question on this topic won’t hold you back too long. Just remember that some settings are for RDP only, so again watch out for sly tricks from the exam people!

 

Objective 7.2 – Upgrade View Clients

Again I’d expect that you’ll probably only be asked to play around with Windows View Clients, as other platforms in my experience make up the minority of users. Also, setting up non Windows platforms in a lab environment is probably a bit of a pain for VMware Education. As such, we’ll just focus on the Windows Client upgrades.

  • Upgrade clients to support View server component upgrades  – Typically the back end components are upgraded first, so Connection and Security Servers, vCenter/ESXi if appropriate and the View Agent in the virtual desktop. Once that has been done, the focus changes to the end user’s View Client. This process is very quick and is simply a case of downloading the new client (either from the View Portal or elsewhere, I’m guessing it will be pre-staged for you) and running the installer. As we’ve all done client installers before and there are no gotchas here, I’m not going to document it blow by blow.
  • Identify which clients are supported by VMware or OEMs – Again another pretty straight forward skill being tested. The rule of thumb here is that if the client is a “fat” device (so Windows, Linux or Mac desktop or iOS/Android mobile device) then the administrator can upgrade the client by using the appropriate installation mechanism (Windows Installer, RPM, iTunes etc.). If the client is a thin or zero client, updates to the client will generally come from the manufacturer in the form of firmware updates. I’m not entirely sure how this skill can be effectively tested in a practical environment, but there you go.
  • Identify which clients are administrator or user downloadable – The View Portal is the place for end users to get the View Client and these links will usually send the end user to vmware.com to download the latest and greatest. So again, “fat” clients are generally user upgradable with appropriate permissions (administrator on Windows, for example) and thin clients where updates are performed by firmware updates are something only an administrator would do.
  • Perform View Local Mode Client upgrade – Upgrading the View Client with Local Mode option is more or less the same as upgrading the regular View Client with a couple of exceptions. Firstly, you need to ensure the user has checked in their desktop before upgrading the client. If the end user has a View Client version 4.6.0 or earlier, they must check in their desktop first, remove the old client and then install the 5.2 client fresh once the back end desktop infrastructure has been upgraded.

 

23-07-14

VCAP-DTA Objective 6.3 – Analyze PCoIP Metrics for Performance Optimization

Skills and abilities being tested :-

  • Interpret PCoIP WMI counters – When you install the View Agent on a virtual desktop, additional WMI (Windows Management Interface) counters are added to the Windows virtual desktop. Amongst other things, it allows you to add in statistics for PCoIP performance which can come in very handy when troubleshooting performance issues. To do this, go to the virtual desktop and go Start | Run | perfmon.exe and once Performance Monitor starts, click on the green plus button and add in your required counters. You can choose from the following areas:-
    • PCoIP Session Audio Statistics
    • PCoIP Session General Statistics
    • PCoIP Session Imaging Statistics
    • PCoIP Session Network Statistics
    • PCoIP Session USB Statistics

   The key point here is not to add all the counters and get blinded by lines shooting around all over the place, and remember that the PCoIP server needs to be active in order to generate statistics. That means if you       connect to a virtual desktop via RDP, you will see counters all flatlined and wonder what all the fuss is about! The View Integration Guide has some really good guidance on how to interpret the metrics here and worth a read to help make sense of the perfmon statistics. This is worth a read to get the equations on how to calculate bandwidth used for audio and video etc. If you are having performance issues, it may be that you have set an aggressive group policy that throttles bandwidth too low and the connection is maxing out it’s assigned bandwidth. Remember you do have the View PDFs to hand in the exam, so you can open the Integration guide and go straight to this section to save you from having to remember how to compute bandwidth values.

  • Interpret PCoIP log files – PCoIP log files are stored under %PROGRAMDATA%\VMware\VDM\logs and Simon Long has an excellent blog post on how to interpret PCoIP log files, so take a look at that before the exam. It mainly discusses the PCoIP Log Viewer, which to the best of my knowledge you won’t have access to in the exam but all of the relevant metrics to look out for are there in the text. The Log Viewer just puts it in a more friendly format. That being said, if you have a look at Andre Leibovici’s guide, for the sake of the exam it’s worth remembering key words or phrases and then searching the log files for those key words. Remember, time in the exam is a luxury you don’t have! Look out for the following:-
    • Registry setting parameter pcoip.max_link_rate 
    • Loss= (signifies packet loss on the network)
    • Plateau (maximum bandwidth used by PCoIP)

    Andre has another article on key word searches in log files here, well worth a read.

22-07-14

VCAP-DTA Objective 6.2 – Configure Group Policies for PCoIP and RDP

  • Identify and resolve group policy conflicts – One of the great things about group policies is that there are so many settings you can configure and lock down that sooner or later you’ll end up doing something that means different group policies treading on each other’s toes. There are a couple of ways to check group policy inheritance:-
    • gpresult.exe – a command line tool that can be used to generate a RSoP report (Resultant Set of Policies). This is a quick way of looking at what’s been applied, what has been filtered and which AD groups a user is a member of, which can help troubleshooting. The command syntax for a RSoP style report is gpresult.exe /r and you’ll get something similar to below:-

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 22/07/2014 at 20:34:43
RSOP data for BECKETT\Administrator on DC01 : Logging Mode
———————————————————–

OS Configuration: Primary Domain Controller
OS Version: 6.1.7600
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\Administrator
Connected over a slow link?: No
COMPUTER SETTINGS
——————
CN=DC01,OU=Domain Controllers,DC=beckett,DC=local
Last time Group Policy was applied: 22/07/2014 at 20:34:10
Group Policy was applied from: DC01.beckett.local
Group Policy slow link threshold: 500 kbps
Domain Name: BECKETT
Domain Type: Windows 2000

Applied Group Policy Objects
—————————–
Default Domain Controllers Policy
Default Domain Policy
ThinPrint

The following GPOs were not applied because they were filtered out
——————————————————————-
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups
——————————————————-
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
DC01$
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Denied RODC Password Replication Group
System Mandatory Level

USER SETTINGS
————–
CN=Administrator,CN=Users,DC=beckett,DC=local
Last time Group Policy was applied: 22/07/2014 at 20:33:40
Group Policy was applied from: DC01.beckett.local
Group Policy slow link threshold: 500 kbps
Domain Name: BECKETT
Domain Type: Windows 2000

Applied Group Policy Objects
—————————–
N/A

The following GPOs were not applied because they were filtered out
——————————————————————-
Default Domain Policy
Filtering: Not Applied (Empty)

ThinPrint
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
—————————————————
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Group Policy Creator Owners
Domain Admins
Schema Admins
Enterprise Admins
Denied RODC Password Replication Group
High Mandatory Level

  • RSoP (Resultant Set of Policies) is basically a graphical representation of what you see above, which is actually quite helpful when you have a specific issue you want to troubleshoot. To run the report, go to Start | Run | rsop.msc and after the report has been generated, you kind of get a read only group policy view with details of policy settings.

rsop

 

  • Group Policy Management – One other thing to check is the Group Policy Management MMC tool. This can be accessed by going to Administrative Tools | Group Policy Management. Once within this tool, select a particular OU that you want to troubleshoot and click the Group Policy Inheritence tab. This displays which GPOs are in place and what their priorities are.

gpo

 

  • Implement PCoIP and RDP Group Policy templates – As discussed in a previous article, PCoIP can be managed by importing the pcoip.adm policy template from the C:\Program Files\VMware\VMware View\Server\extras\GroupPolicyFiles folder into the Group Policy Management  MMC view.
    • RDP can be managed via Group Policy from Group Policy Management under  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services. From here, configure which settings you want to enable or disable etc, as shown below:-

RDP-GPO