SCVMM: Service Principal Names (SPNs) Required for Proper SCVMM 2008 Functionality
SCVMM 2008, 2008 R2, as well as future versions of SCVMM rely on kerberos and kerberos delegation functionality for its security and authentication model. You may encounter various problems with SCVMM related to authentication and authorization if the underlying platform service principal names (SPNs) are not properly set.
For Virtual Console Support for Hyper-V Hosts (VMCONNECT.EXE) – This will be required on Hyper-V Hosts. Use the following command to set and verify SPNs.
setspn -s "Microsoft Virtual Console Service/HOSTNAME" computername setspn -s "Microsoft Virtual Console Service/hostname.fqdn.etc" computername
For P2V Support.
Use the following command to set and verify SPNs.
setspn -s "Microsoft Virtual System Migration Service/hostname.fqdn.etc" computername setspn -s "Microsoft Virtual System Migration Service/hostname" computername
For VS2005 Hosts and the VMRC utility
– This will be required on Virtual Server 2005 Hosts. Use the following command to set and verify SPNs.
setspn -s vmrc/hostname.fqdn.etc:5900 computername setspn -s vmrc/hostname:5900 computername setspn -s vssrvc/hostname.fqdn.etc computername setspn -s vssrvc/hostname computername
For RDP Support.
Use the following command to set and verify SPNs.
setspn -s TERMSRV/hostname.fqdn.etc computername setspn -s TERMSRV/hostname computername
For all Hosts.
Use the following command to set and verify SPNs.
setspn -s HOST/hostname computername setspn -s HOST/hostname.fqdn.etc computername
HTTP (may needed for authentication on SSP if VMM server is using Remote SQL.)
Use the following command to set and verify SPNs.
setspn -s HTTP/hostname.fqdn.etc computername setspn -s HTTP/hostname computername
SQL VMM Database
Depends on port and instance type:
Named Instance.
Use the following command to set and verify SPNs.
setspn -s MSSQLSvc/hostname.fqdn.etc:Port computername
setspn -s MSSQLSvc/hostname.fqdn.etc:InstanceName computername
Default Instance.
Use the following command to set and verify SPNs.
setspn -s MSSQLSvc/hostname:1433 computername setspn -s MSSQLSvc/hostname.fqdn.etc:1433 computername
Here are some links to some excellent articles:
App-V: Error Running Virtualized SAS Client: “Could not Load SAS font”
After sequencing the SAS Base version 9.2 client, you may get the following error upon launching the application:
WARNING: Could not load SAS font : SAS Monospace WARNING: Could not load SAS font : SAS Monospace Bold
This will not happen during the launch phase so it comes very unexpected post deployment.
The two fonts referenced (“SAS Monospace” & “SAS Monospace Bold”) are located in the virtual file structure (CSIDL_Fonts), and are referenced in the Virtual Registry (in the key HKLM>Software>Microsoft>Windows NY>Current Version>Fonts & referenced as a redirected for another font value in the FontSubstitutes key.)
They are also viewable via sfttray /exe cmd.exe when browsing directly to the c:\windows\fonts folder.
The cause of this tracks back to the fact that the fonts are marked as User Data. Being marked at User Data implies that it is modifiable data that will be copied and maintained in the user’s package volume (*.PKG file.) Since it is marked as user data, when the query is made to the C:\ location, it is going to redirect it to the USER PKG where it may or may not be.
If you look at this through a Process Monitor trace (one both inside and outside the VE) you will see this happening as well.
If you change the source location for SAS Fonts in the file C:\Program Files\SAS\SASFoundation\9.2\nls\en\SASV9.CFG (Q:\\VFS\CSIDL_PROGRAM_FILES\SAS\SASFoundation\9.2\nls\en\SASV9.CFG) to point to the VFS location on the (i.e. Q:\\VFS\CSIDL_PROGRAM_FILES\SAS\SASFoundation\9.2\core\resource) instead of the original location on C:\, the error should go away.
Microsoft Virtualization Engine and Management Updates
Here are a listing of significant Microsoft management and Virtualization engine downloads and updates at all levels of the stack:
Storage Virtualization:
Microsoft iSCSI Target Software:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=45105d7f-8c6c-4666-a305-c8189062a0d0
iSCSI Software Target is an optional Windows Server component that provides centralized, software-based and hardware-independent iSCSI disk subsystems in storage area networks (SANs).
App-V
Microsoft App-V 4.6 Service Pack 1
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=3b48dbfe-612d-4806-b737-9254bd9b2445
Hyper-V
Windows Server 2008 R2 SP1:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c3202ce6-4056-4059-8a1b-3a9b77cdfdda
Hyper-V Server 2008 R2 SP1:
http://www.microsoft.com/downloads/details.aspx?familyId=92E2C4BA-6965-4F8E-ABBE-CBB40556B680
Updated Hyper-V Management Tools for Windows 7 SP1 now available
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d
Update to the Hyper Best Practices Analyzer:
http://support.microsoft.com/kb/2485986
SCVMM:
SCVMM 2008 R2 SP1:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9189bbce-d970-4c6c-9dd3-9e65798ecd70
Updated Configuration Analyzer for SCVMM to include 2008, 2008 R2, and 2008 R2 SP1
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=02d83950-c03d-454e-803b-96d1c1d5be24
Remote Desktop Services Connector for System Center Virtual Machine Manager
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=db795773-2f9f-4439-9df7-0bf162576e57
Planning for a Microsoft VDI Deployment
In the past, desktop virtualization administrators have used Microsoft for only part of their VDI (virtual desktop infrastructure) while using solutions from VMWare of Citrix as the primary basis.
You may be already familiar with Microsoft’s client-hosted enterprise desktop virtualization solution – MED-V. VDI is Microsoft’s server-based desktop virtualization solution combining all of the following for engine support all the way to complete end-to-end management:
- Hyper-V
- Windows 7
- Windows Server 2008 R2
- System Center Virtualization Manager
- Remote Desktop Services
- RemoteFX
Windows Server 2008 R2 Service Pack 1 adds two new components (RemoteFX and Dynamic Memory) that fill two holes related to management flexibility and user experience that now make Microsoft almost a non-brainer choice for your VDI solution.
Microsoft’s virtualization main page is found here:
http://www.microsoft.com/virtualization/en/us/products-desktop.aspx
First things first,
Licensing Information regarding VDI. One of the first things customers want to know is what are the costs and the potential cost savings:
In terms of how it works, here is Microsoft’s VDI solution at a high level:
http://blogs.msdn.com/b/rds/archive/2009/08/19/microsoft-vdi-overview.aspx
The next items of concern are often what infrastructure changes will need to be made. Moving to a VDI environment will require the presence of a Windows 2008 or Windows 2008 R2 domain controller (depending on the Hyper-V/RDS platform being used.) You will also need to update the schema accordingly to support these domain controllers and subsequent services required for the VDI environment.
Here are the outlines of the Windows 2008 and Windows 2008 R2 Schema changes:
Windows 2008:
http://technet.microsoft.com/en-us/library/cc730930(WS.10).aspx
Windows 2008 R2:
http://technet.microsoft.com/en-us/library/dd378828(WS.10).aspx
You will need to have Windows 2008 Schema changes minimally however, the minimum AD domain level supported is Windows 200 native. Windows 200 mixed or Windows 2003 interim are not supported.
From: http://technet.microsoft.com/en-us/library/dd883277(WS.10).aspx
The following are important considerations about assigning a personal virtual desktop to a user in AD DS:
- To deploy personal virtual desktops, your schema for the Active Directory forest must be at least Windows Server 2008. To use the added functionality provided by the Personal Virtual Desktop tab in the User Account Properties dialog box in Active Directory Users and Computers, you must run Active Directory Users and Computers from a computer running Windows Server 2008 R2 or a computer running Windows 7 that has Remote Server Administration Tools (RSAT) installed.
- You must use a domain functional level of at least Windows 2000 Server native mode. The functional levels Windows 2000 Server mixed mode and Windows Server 2003 interim mode are not supported.
- Ensure that the RDVH-SRV computer meets the Hyper-V installation prerequisites (http://go.microsoft.com/fwlink/?LinkId=122183).
- The user account and the virtual machine must both be members of an Active Directory domain.
- Personal virtual desktops can only use Windows client operating systems. You cannot install Windows Server® 2008 R2 on a virtual machine and assign it as a personal virtual desktop.
- A user can be assigned only one personal virtual desktop at a time.
- A virtual machine can be assigned as a personal virtual desktop to only one user at a time.
- The name of the virtual machine in the Hyper-V Manager tool must match the fully qualified domain name (FQDN) of the computer.
Sizing Concerns:
Alongside of instructure changes and concerns is capacity planning. Here is a good webcast on planning and sizing session virtualization and bandwidth for VDI:
http://www.microsoft.com/showcase/en/us/details/5e9fe509-a9e2-43a0-99e9-c79b655a3412
And a good document as well:
RD Web Access Information:
http://technet.microsoft.com/en-us/library/dd883265(WS.10).aspx
RD gateway Information:
http://technet.microsoft.com/en-us/library/dd560672(WS.10).aspx
Why VDI for Hyper-v Whitepaper:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f0533021-ca5a-4330-b839-1efedad14479
Windows 2008 R2 SP1’s RemoteFX feature for Hyper-V
If you have time, also check out the VDI videos on technet Edge:
http://technet.microsoft.com/en-us/edge/ff832960.aspx?query=1&Category=virtualboy
Description and Explanation of the “Failed unregistering callback tracking connected process termination” Error 997 in App-V
Have you ever noticed that periodically you may see the following error in the SFTLOG.TXT and/or the Windows Application event log:
Failed unregistering callback tracking connected process termination (error: 997).
You will also see the following in the Event Log:
Log Name: Application
Source: Application Virtualization Client
Date:
Event ID:
Task Category: (3)
Level: Warning
Keywords: Classic
User: N/A
Computer: <name>
Description:
{tid=1C3C}
Failed unregistering callback tracking connected process termination (error: 997).
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event“>
<System>
<Provider Name=”Application Virtualization Client” />
<EventID Qualifiers=”16384″>3219</EventID>
<Level>3</Level>
<Task>3</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=”2010-09-18T19:34:05.000000000Z” />
<EventRecordID>834</EventRecordID>
<Channel>Application</Channel>
<Computer>COMPUTERNAME</Computer>
<Security />
</System>
<EventData>
<Data>{tid=1C3C}
</Data>
<Data>997</Data>
</EventData>
</Event>
Here is the following explanation of situations where this event may occur:
When one of the App-V client’s front-end component (i.e. UI or SFTTRAY) connects to the SFT Listener, the Listener opens a process handle to that front-end component, and will call a system API that will automatically monitor for that process handle being signaled (i.e. the process exited), and invoke a callback function in the Listener if that occurs. If the front-end component disconnected normally, the monitoring of the handle is canceled. It appears to the App-V front end component that when the unregistration of the callback function was tried – in this case, the callback function had already been queued up or was in the process of executing which caused this warning to be reported.
In most cases this message is benign. This will often happen when the SFTDCC processes overlap with publishing refreshes and will also happen often on TS/RDS logoffs – especially with Server 2008 and beyond. You will also see this paired with User Profile Service registry closure events.
Setting the online registry key wrong for App-V RDS Client Users in Full Infrastructure Mode will cause new users to not get Applications after Publishing/Refresh
Users may find when running AppV Remote Desktop Services Client (Terminal Services Client) that precached applications do not appear for new logged on users to the RDS/TS server although existing users still have access to the applications.
This happens even though the new users are members of the same groups previously given authorization to the application in the App-V Management Server console.
This can happen on Terminal Servers (RDS) if the following registry keys are set at the same time:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\<Current Version>\Client\Network
Value:
Online – Set to 0
AllowDisconnectedOperation – Set to 1
The other users had previously refreshed against the server and gained access to the application prior to the “Online” key being set to 0. Once this was done, there is no refreshes against the server and as a result, new users never get an application list from the server.
App-V: Description of Feature Flags When Configuring the Office 2010 Deployment Kit for App-V
32-bit:
ADDLOCAL=Click2runMapi,Click2runOWSSupp,Click2runWDS,OSpp,OSpp_Core
64-bit:
ADDLOCAL=Click2runMapi,Click2runOWSSupp,Click2runWDS,OSpp,OSpp_Core,OSppWoW64
The options here:
- Click2runMapi: For MAPI Overrides
- Click2runOWSSupp: Microsoft SharePoint Client Support
- Click2runWDS: Search MAPI Protocol Handler and Host Search MAPI Protocol Handler Manager Overrides. This allows for Fast Search in Outlook
- OSpp: Microsoft KMS Client.
- OSpp_Core: Office Software Protection Platform
- OSppWoW64: Microsoft KMS Client for x64.
Then on the client, we deploy the handlers which place in the host-side handlers. This will expose the proxies.
ADDDEFAULT=Click2runOneNoteProxy,Click2runOutlookProxies,Click2runWDSProxy,Click2runOWSSuppProxies
- Click2runOneNoteProxy: Send to OneNote printer Proxy
- Click2runOutlookProxies: All MAPI and Mail control panel applet
- Click2runWDSProxy: Search Proxy and Office Document indexing
- Click2runOWSSuppProxies: Sharepoint Client