United States | Deploying VDAs in a Multi-Forest Environment

Nick Pylarinos - 02.12.201920191202

Deploying VDAs in a Multi-Forest Environment

United States | Deploying VDAs in a Multi-Forest Environment

I was recently brought onto a project to consolidate two aging Citrix farms into a single 7.15 farm.

The project consisted of multiple images across multiple domains with the endgame being all the images be in the same infrastructure under a single Citrix 7.15 Environment with the only exception being the images had to be a member of their original domain.

The images were reverse engineered and ported over to a shiny new ESX Cluster, which made life easier as the abundance of compute and storage was a joy to play with.

Part of the standard image creation process was to point the VDAs to the new DDCs. For the Citrix guys who have done manual VDA installs it’s always nice and comforting to see that green tick to indicate the connection has been established and a valid DDC has responded. Awesome!….or so you would think….

United States | Deploying VDAs in a Multi-Forest Environment

One of the things that make my job awesome is coming up against tricky problems that have no explanation as to why something is broken…then trying to fix it……this blog ( I hope ) will provide a quick resolution for whoever reads it to solve the issue.

What is the issue I am writing about though…? Keep reading to find out…

VDAs in Domain1 communicate to Desktop Delivery Controllers in Domain1…….VDAs in Domain2 could not communicate to Desktop Delivery Controllers in Domain1.  

Standard procedure, check Network Firewall & Settings, check Windows Firewall and settings etc… 9 out of 10 times this all checks out OK…but must be done.

So research time….I realised that I had a few more items to configure before this very simple piece of comms between server/client to be possible.

First was to establish the permissions on the OU for the Citrix Admin to create machines.

Select the OU that will house your Computer accounts:

  • Right Click and select Delegate Control
  • Add the Security group which has Citrix site access (Citrix admin account)
  • Create a custom task to delegate
  • Select the below settings:

United States | Deploying VDAs in a Multi-Forest Environment

  • Select permissions on the next screen to be Read & Write

United States | Deploying VDAs in a Multi-Forest Environment

So that’s it…..but wait there’s still more to do…

For this type of setup to work the existing VDAs must be granted authentication access to the Delivery Controllers – this has to be done via active directory.

For simplicity reasons nest all the VDA computer accounts into a single group (this will make setting the appropriate permissions easier).

Right click onto the OU where the Citrix DDCs reside and select -> Properties -> Security. Here we are going to add the VDIs security group and assign R/W abilities.

An example of the config here:

United States | Deploying VDAs in a Multi-Forest Environment

Now that Active Directory is configured – lets go back to the Citrix VDA configuration – starting with the Desktop Delivery Controller….

Login to your Citrix Desktop Delivery Controllers and open the registry editor…

Navigate to HKEY_LOCAL_MACHINESoftwareCitrixDesktopServer

If the key doesn’t exist, please add a REG_DWORD called SupportMultipleForest and assign it the value 1.

Next phase is to move back onto your master image and open up the registry. You will then need to add the following items to the following keys:

  • 32-Bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentListOfSIDs

Add the SIDs of the Delivery Controllers

  • 64-Bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentListOfSIDs

Technically this is all you need to do….but here is the bit the vendor tech articles leave out:

One more STEP!

So after trying various means to figure out what was missing…the BrokerAgent Config file needs a little modification before allowing the multi-site registration cycle to be complete.

Always prudent to take a backup……..just in case!

Open the file in a Notepad and set the following field to “true”:

United States | Deploying VDAs in a Multi-Forest Environment

THANK YOU FOR YOUR SUBMISSION!

United States | Deploying VDAs in a Multi-Forest Environment

The form was submitted successfully.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

United States | Deploying VDAs in a Multi-Forest Environment

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.