Citrix App Layering: DR Processing Utility

Organizations perform DR in many different ways. This utility was developed to help customers that setup the Unidesk LayerSync utility to keep separate Production and DR instances synchronized where every user has a dedicated Production desktop and a dedicated DR desktop.The utility performs two functions. It will assign DR desktops to the same user as a production desktop defined in a separate View replica group based on matching the DR desktop name to a Production desktop name. It will also produce a report comparing the Production and DR desktops and if the layers assigned to the desktops are different the desktops and the layer differences will be included in the report.The report will also show if a DR desktop does not match any desktop in production or if the user assigned to a DR desktop does not match the user assigned to the matching Production desktop..

The following assumptions were made in designing this solution:

• The utility only works for customers using VMware Horizon View as their broker
• The utility will support two separate vCenter servers or just one vCenter
• The utility will support a single View replica group or two separate replica groups for Production and DR.
• In order to use this utility you require: 
  • A console machine to run the utility that has:
    • PowerShell installed
    • vSphere PowerCLI matching your version of vCenter.
• A Domain account that is a local Administrator on the console machine, an administrator on the View connection server, and a View Administrator.
• SSH open from the Console machine to both management Appliances.
• PowerShell remoting is required to interface with a connection server in each View replica group.
• The utility uses LDAP to query the View ADAM Directory. Therefore port 389 must be open from the console machine to the View Connection server.

 

The utility can be scheduled or just run manually periodically. When run the utility will

• Query the Production View Server via LDAP to get a list of all pools and their CN’s
• For Each pool that Matches the configured Pools the utility will Query the View server via LDAP to get the members of the pool capturing their SID.
• Query the DR View Server via LDAP to get a list of all pools and their CN’s
• For Each pool that Matches the configured DR Pools the utility will Query the DR View server via LDAP to get the members of the pool capturing their SID.
• If any View Desktops Need to be assigned
  • Setup a remote PowerShell session on the DR View server
  • Load remote Commands
  • Load the View PowerCli
  • Assign Each Desktop that Needs to be assigned
• Update List of DR Desktop Assignments
• Run DR Comparison Report
• Email DR Comparison Report

First download the zip. Before unzipping the download, check the properties of the zip file to see if they are blocked as shown on the right. If they are click unblock. This will unblock all of the files as long as you unblock the zip before you extract the files.

Then extract to a folder with no spaces in the path and no special characters like () in the path, then open the executable.

DR Processing

This interface allows you to enter the information required by the utility.

• Configuration onfiguration Step 1 Connection Information

In this section you add the FQDN or IP address of each Management Appliance. If you have changed the root password for the appliances then add passwords here. If you have not changed the passwords the utility knows the default password and you do not need to add it. In the current version if you are doing both Production and DR desktops in the same Management Appliance just add it twice. In future versions we will make it simpler by allowing you to define a single MA. You must click SAVE for each entry.

• Misc Configuration

This section includes the information required to get and set settings in VMware View as well as the definition used to match DR desktops to Production desktops.

VMware View Settings

In this section you will add most of the configuration information including Connection Servers, Accounts, and Pool Information.

The first information to add are the IP addresses or FQDN’s of the Production and DR connection server. If you are using a single server for both Production and DR pools add that serve in twice. The account defined here is used to connect to the server to run PowerShell commands so it must be an administrator on the server, and be an administrator within View.

The last thing in this section is to define the pool mapping between Production and DR. All of the desktops found in the Production Pool will be added to the matching DR pool as defined here.

Desktop Matching Criteria

The next thing to enter is the characters used to define the match between DR Desktops and Production Desktops.

What is defined here are three settings:

• The Characters in the Production Desktop that are replaced in the DR desktop
• The Characters in the DR desktop that are used to replace the characters in the production desktop
• The location (position) in the naming convention where the DR characters that will be replaced are located. This is defined as

Type – Start Position – Number of characters

Where Type can be L (left) or R(right)

Start Position is the number of characters from left or right that the DR characters to replace in the naming convention start.

Number of characters included in the DR desktop to be replaced. This should be the same as number 2 above.

And of course the name cannot exceed 15 characters

The way this works is that we start with the DR desktop name and search for the characters defined in number 2 replacing them with the characters in number1 but only within the start position for the number of characters.

This allows you to defined many different replacement strategies but the naming strategy must be consistent across all desktops.

Examples:

To replace one character with another:

Prod Name: Vdi-mrkt-001 DR Name:vdi-mrkt-d001

Can use: L-10-1 or R-4-1

Search: d Replace: blank

Prod Name: Vdiprd-mrkt-001 DR Name:vdidr-mrkt-d001

Can use: L-4-2 or R-12-2

Search: dr Replace: prd

Prod Name: Vdidtabc-001 DR Name: Vdidtabcx001

Can use: L-9-1 or R-4-1

Search: x Replace: -

 

Reporting

This has one setting Include Desktops that Pass the Layer Matching Tests in output. When checked this will add a section to the comparison report listing all the desktops that match between DR and Production. This can be used for troubleshooting.

• Scheduled task Information

This section allows you to create a scheduled task on the machine you are running the utility on. Choose whether to run the task daily or weekly, if weekly select the day of the week. Define the time to start the task and the account to run the task under. Remember that you must create the credential file using the same account on the same desktop that will run the task or it will not be able to decrypt the password to connect to the host.

If you use a domain account use Domain\account if local use Desktop Name\account.

If you want to have a different schedule than daily or weekly, create the task then go into the Task Scheduler and change the schedule.

It is critical that the user you are logged in as when configuring the utility is the same user used to run the scheduled task, otherwise the passwords used will not be able to be unencrypted when the task runs.

To create the task press Create Task.

• Email Configuration

This section is used to configure mail relay settings.

To configure and use this functionality enter the appropriate mail relay and mail address information. Relays have different requirements. If the relay is “open”, then the “From Address” can be any desired text string; it does not have to be a real email address, though it can be. If the relay requires authentication, check the “Use Auth” and if you want to use ssl, check the ”Use SSL” box in D and enter the account and password. Typically these will be the Active Directory Account and Password.

In either case, enter the “To Address” information which can be a single address or multipleaddresses delimited using a comma.

When the settings are completed press the “Save Config” then Test the email. This will save the configuration to a text file and send a test email. Ensure the test email is successful. If a password is used it is saved in encrypted form based on the logged in user. Therefore the settings must be made and saved using the account that will run the backups just like section 1.

In order to use this utility PowerShell Remoting must be enabled on the VMware View Connection Server used for integration. If you have not already configured WinRM on this

Connection Server then you must do that before using the utility.

We will configure the Connection Server to allow remote PowerShell using the WSManQuickCOnfig CMDLET.

 

WSManQuickConfig

To configure WinRM manually do the following

• Logon to the Connection Server as a local administrator
• Open PowerShell “As Administrator”
• Type Set-WSManQuickConfig or Set-WSManQuickConfig –SSL
  • See Encrypting Communications
• Answer Yes to the prompt

By Default QuickConfig allows connections from any machine. Remember this is not truly wide

open as permissions are required to make connections to a remote machines.

To configure only specific Trusted Hosts see the next section.

Trusted Hosts

Trusted Hosts are machines that are allowed to run PowerShell Remoting or other WSMan commands against the desktops or hosts configured with WinRM.

Defining the Trusted Hosts is easy using PowerShell.

To set the Trusted Host for a single machine:

Set-item wsman:\localhost\Client\TrustedHosts john.doe.com

For a list of machines use

Set-item wsman:\localhost\Client\TrustedHosts –value computername>,<computername>,…

For the whole domain use

Set-item wsman:\localhost\Client\TrustedHosts *.doe.com

The commands do not add on each other they replace each other so if you want to add many machines to the list include them all in one command.

This utility will normally be run in a scheduled task periodically. However it can be run on demand by clicking on the Run DRProcessing button in the utility UI. Every time the utility runs it sends the DR Comparison report to the defined email list. To create the report manually click on Run Report Only. To review the report from the console click Open reports and select the desired report. You can also review the logs by looking in the log folder.

Log files are located in a log folder under the folder created to store the utility. Logs are listed by the date and time when the utility was run.

The log file details each step of the process as it happens. The log will also show warnings or errors that happened during the processing.

 

DR DesktopComparison Report.

The utility generates an exception report that shows when the layers are different between DR and Production for a desktop. The report ill also show if the user assigned to the DR desktop is different from the user assigned to the Production desktop. AS well as Production desktops that have no match in DR.

The first section of the report show desktops with mismatched layers between Production and DR. The next section shows desktops where ownership does not match between Production and DR. The section after that is optional. If included it will list all the desktops that match in Production and DR. The last section shows desktops in Production that have no match in DR. This match is based on the naming transform and obtained from the Unidesk MA Database in both sites.