Active Directory (AD) Integration – Part 1

There are two main areas of Active Directory design that are critical to most Citrix implementations: Profiles, and Group Policies.

Profiles

With the most simplistic, default situation on a Windows Terminal Server, a user exists in Active Directory without any “profile”, or “terminal services profile” information included. When the user first logs in to the Terminal Server, a “local profile” is created, under “Documents and Settings” on that application server that they happen to hit, and this directory structure includes windows settings, as well as “My Documents”, the “Desktop”, and Internet Explorer’s “cookies” and “bitmaps”; If a user then saves data in these locations, logs out, and logs in to a different Presentation Server the next day, a completely different local profile would be created, and the user would be mystified as to why their data from the day before is “sometimes there, sometimes not”, as they log in to different load balanced desktops or applications.

AD Integration

There are advantages to “local” profiles on a Presentation Servers: no data has to travel across a wire before the profile can load, and the profiles on the separate servers are not being tied together, and so are not as likely to become corrupt as “roaming profiles” are. Logins are faster and management of profiles is simple.

A public library can publish a load-balanced desktop across several Citrix servers, and the local profile on each server of the librarian, or the “library user”, remains the same. The public uses the desktop, browses the internet, types, prints or saves, but leaves behind nothing, and doesn’t expect to see their own data, or desktop changes, waiting there for them the next day. In an environment like this, the local profiles can become locked-down “mandatory” profiles that do not accept changes, and so do not become corrupt. Renaming the ntuser.dat to ntuser.man was the simple step to make a local profile a “mandatory” profile.

But most internal organizations need to provide regular access to personal data, and personal application and printer settings changes, accessible across multiple, load-balanced, application presentation servers. Microsoft’s alternative to local profiles is something called “roaming profiles”; the profiles are tied to the individual AD user accounts, and each user owns a private directory share, where their profile is centrally store. This profile is then downloaded and cached on each Citrix application server, changes can be made, then the profile is copied back up to the central location, to be pulled down to the next application server the next time.

To configure a roaming profile on a Windows 2003 Domain Controller, the user account in AD is modified on the “Terminal Services” tab, and a UNC can be used to the share on a central file server.

AD Integration

But once roaming profiles are implemented, several steps must be taken to avoid having the roaming profiles become corrupt, so that the user either can’t log in, or out, and an administrator ends up having to re-create the profile.

The Microsoft free downloadable utility called “UPHClean” is recommended for any terminal server, to clean up all the user profiles that come and go on a daily basis.

In the PSC printing policies, the printer properties can be forced to be stored on the client device, instead of the roaming profile; this can cut down on profile corruption.

AD Integration

Delete cached roaming profile

And if roaming profiles are implemented, Citrix recommends running several “Group Policies” along with them, to maintain stability in the implementation. By default, these roaming profiles DO copy up to a central location when a user logs out, but they also remain behind on each Citrix server, “cached” for ease of use in the future. The problem is that with the load managed, published application model, users could conceivably log in to multiple servers at once, and log out of them in a different order, and this would eventually lead to corruption through time-stamp illogic.

AD Integration

Citrix recommends having the roaming profiles deleted by running a GPO, located in the “computer” section, under “administrative templates”, “system”, “user profiles”, and when we enable it, we are recommended to enable two others: “do not detect slow network connections”, and “wait for remote profile to load”.

AD Integration

Folder Redirection

The problem, now, with “roaming profiles” is that by default they can become large, with “My documents” and IE’s cached bitmaps and cookies, and “Desktop” all part of the profile. In order to avoid sending a user’s entire home folder over the wire to be cached on an application server, “folder redirection” can be implemented through Windows GPO’s, to keep the profile from becoming unmanageably large. Folder redirection is implemented through Windows GPO’s, in the “user” section, under “windows settings”. Once implemented, large portions of the formerly “roaming” profile now remain stable on the central “home” directory, available for retrieval through whatever methods the Citrix administrator has provided, when needed, instead of the default design, which was to download all the documents a user had ever saved to each server the day they log in to that server.

AD Integration

Another feature of Windows 2003 GPO’s is something called “profile size quotas”. Users are allowed to grow their profile until it gets larger than a preset value. The problem with implementing this setting is that when the user passes the profile size quota, they are unable to complete a logout, because they can’t complete the copying back up of the profile to the central location, and they have to call the help desk.

Even with folder redirection in place, the profiles in an enterprise Citrix deployment can become large, due simply to a high volume of applications that all require bits of a profile.

AD Integration

Citrix Consulting has come up with a custom scripting solution called “hybrid profiles”, where they look at just how much of the profile requires changing, and script a solution that cuts way down on how much of the profile actually travels back and forth, “roaming”, and leaves the reset as a permanently cached “local mandatory” profile on each Presentation Server. “FLEX” profiles are a free downloadable tool to develop scripts on your own that render your large roaming profiles “hybrids”.

Stay tuned for part 2…

CM, Citrix Training Instructor
Unitek Citrix Training

1 reply
  1. Anonymous
    Anonymous says:

    Wow! This could be one particular of the most beneficial blogs We’ve ever arrive across on this subject. Basically Wonderful. I’m also an expert in this topic so I can understand your hard work.

Comments are closed.