Archive for the ‘Uncategorized’ Category

I was recently required to raise the AD domain and forest functional level in order to implement Windows Hello for Business, which requires a minimum domain functional level of 2008 R2. Microsoft describe raising the AD functional levels as a low risk change and in total these steps took about an hour, with the actual changing levels taking a few seconds and replication taking about 20 minutes in total.

So, to raise the functional levels from 2008 to 2012 R2 (the version of all of the domain controllers), here’s what I did.

  1. Create a system state backup of a domain controller. I did this using Windows Server Backup mmc which wasn’t installed on the server, so I added the feature first. This article outlines the steps simply: http://www.tomsitpro.com/articles/back-up-windows-server-2016-domain-controller,1-3423.html
  2. Take a VM snapshot of a domain controller.
  3. Identify the PDC in the domain by running netdom /query fsmo
  4. Raise the domain functional level using the steps in this petri article: https://www.petri.com/raising-windows-server-2008-active-directory-domain-and-forest-functional-levels
  5. On all of the domain controllers, check the level by running powershell cmd (Get-ADDomain).DomainMode. When all reported Windows2012R2Domain, continue.
  6. Raise the forest functional level using the steps in this petri article: https://www.petri.com/raising-windows-server-2008-active-directory-domain-and-forest-functional-levels
  7. On all of the domain controllers, check the level by running powershell cmd (Get-ADForest).ForestMode. When all reported Windows2012R2Forest, continue.
  8. Check that I could restart and logon to a computer. Check that when I changed an AD group that the change replicated to all domain controllers.

Read Full Post »

As part of some testing, I’ve checked out what happens in the scenario where you remove a user from a delivery group while the user has an active session. The current session continues to run normally, but the user won’t have that session available in their Web Interface.

Read Full Post »

I’ve recently come across the error described in this article: http://support.citrix.com/article/CTX200551, the article isn’t quite clear on the service to restart. The service you want is “Citrix PVS Soap Server”, rather than “the SOAP service”

Read Full Post »

I’ve recently been dealing with installing and configuring two HP products to work together – HP UFT 12 and HP ALM Platform Loader 12.2. The key challenge was working in a locked down environment which prevented the per user installation of ALM Platform Loader. ALM usually installs an ActiveX control into the user’s profile, but as this wasn’t an option, I modified the ALM-Client.ini file to refer to a location in C:\Program Files (x86) that I copied all of the resultant files to. You still need to make sure the ALM-Platform-Loader.12.ocx file is registered and that your executables are whitelisted. ALM will also want to execute some files in %temp%, so be aware of this.

UFT installs through a more typical local msi install and has some of the same issues of whitelisting in a locked down environment. There are some links from within ALM to UFT, but the key one I was concerned with was connecting to ALM from UFT. In particular, as a regular user, only 1 site could be connected to at a time. This turned out to be due to the WebClient.dll file being registered from the folder related to the site. A regular user couldn’t change the registry value, so could only connect to 1 site. This came up when the test site worked fine, but production didn’t! The registry value you need to change when switching between sites is


Something especially lousy about this is that because this is a file registration, users need to have access to all of HKEY_CLASSES_ROOT, so realistically it CAN’T be changed dynamically. However, if you change permissions on this key and write a script to modify the key at launch, you can switch between sites, even if not within one session. I didn’t need to do this as we were able to just change the key to point to the production server.

Read Full Post »

Coming across this error
“The return code from the Adobe Installer Process is (31).Stopping the installation process.”

led me onto this page from Adobe indicating 31 means not enough space:


Read Full Post »

Citrix Desktop Lock doesn’t natively support an unattended or silent installation as a system account as it sets a different shell for the installing user so that they can manage the computer as normal. In order to get the installation to complete silently, I’d recommend:

  1. Complete an installation as a logged in user and generate a verbose install log. You’ll get some entries in the log generated by a custom action called CtxSetLiveInDesktop. Running as an interactive user will show all the registry keys this reads and sets.
  2. Create a transform of the msi which removes the custom action CtxSetLiveInDesktop from executing.
  3. The install will now complete when run with the transform but won’t set the vital keys to enable the shell functionality.
  4. After the installation, set these values and anyone who logs on will get the Desktop Lock experience

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “Shell”=”C:\\Program Files\\Citrix\\ICA Client\\pnagent.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot] “Shell”=”USR:Microsoft\\Windows NT\\CurrentVersion\\Winlogon”

Set these values and anyone who logs on will get the normal Windows experience

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “Shell”=”explorer.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot] “Shell”=”SYS:Microsoft\\Windows NT\\CurrentVersion\\Winlogon”

** As a note to this, you can alternatively set the HKEY_CURRENT_USER value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe in the Citrix Desktop Lock scenario if you want particular users to see the standard Windows shell. You might set this through Group Policy, logon script etc

Read Full Post »

I’ve been looking for a little while to prevent that security bugbear of laptops bridging the corporate network by keeping the wifi or 3G connection running while connected to the domain. A neat product I’ve come across is Accessity 1Net. Easy to install, runs a lightweight service and it was pretty snappy at disabling the unwanted connection. It identified the domain straight off and prevented other unwanted connections while on the domain. I could still take a laptop home and connect via wifi.

You can set the configuration via Group Policy which is nice.

You can set some HP models in the BIOS to disable a wireless connection when a wired one is available, but I haven’t seen it from all manufacturers.In the 1NET install you can set the command line property

ALLOWWLANONDOMAIN=N if you want to disconnect the wireless when the ethernet is connected or

ALLOWWLANONDOMAIN=Y if you’re happy to allow both connections.

It worked very well for me, so take a look if you’re trying to prevent network bridging or to disable wireless while on the LAN.

Read Full Post »

Older Posts »