Why coffee break?  During logon time?  Our logon time is good, no issues there, and so on.  How many of you faced this situation at customers?  We assume quite a bit.  During all the years working at XenApp projects and recently started with XenDesktop projects at several customers, everyone probably faced that logon times are not usually the best.  Users get used to it and do not complain anymore, so there is no issue, because everyone has a coffee break!
Taking the latest announcement of Citrix about the acquisition of sepago’s user profile solution shows again that there are still challenges out there requiring a solution for a stable user profile environment.

Asking administrators about their biggest challenges in a centrally delivered desktop environment, they will usually respond with either “printing” or “user profiles” related to logon and logoff process.  Exactly at this point, many administrators are not familiar with the executed background processes during logon and logoff, which makes troubleshooting difficult for further optimization.

Taking this into consideration, the logon process is usually the first impression an end-user will experience logging on to a centrally delivered desktop, which can be either a XenApp server or a virtualized desktop through XenDesktop.  If this process takes too long, the user acceptance will drastically suffer and leading to the fact that people start questioning a centrally hosted desktop or application infrastructure.

How is the logon process of a user? Roughly the following happens during logon:

  1. The user launches a published application (XenApp) or published desktop (XenApp or XenDesktop)
  2. Citrix component related processes such as load balancing or assigning a virtual desktop or verification of Microsoft TSCAL (XenApp)
  3. Authentication of user at domain
  4. Copy of user profile
  5. Application of group policies
  6. Execution of other processes such as logon scripts
  7. Citrix specific processes such as mapping of client devices or printers
  8. User access published application or published desktop

You may ask now, why is the logon process not detailed more granular? The answer is pretty simple: The logon details are too complex for XenApp or XenDesktop to be listed in this blog.  A good source to get an overview of what is happening during logon and logoff is at Brian Madden’s website, which provides a flow diagram that can easily fill out a A3 format printout.

Now, knowing what is happening roughly, how can I diagnose my logon process?

A good starting point is to leverage Microsoft’s built-in tool for logging all Windows processes during logon – the “User Environment Debugging”.  This is by default disabled and can be enabled by adding a registry key, which is described Microsoft’s Knowledge Base article 221833.

Another good tool is the usage of Citrix EdgeSight, where administrators have the option to isolate performance related issues since EdgeSight provides a user-centric view of delivered applications and desktops.  Furthermore, administrators can also leverage tools such as Windows Performance Monitor, Windows Systinternal Regmon and Filemon or other command line tools.

However, let’s have a look at typical suspects for issues and the according screws to be used.

  • Domain Controller.  This is the core of any Active Directory and the main component during the user logon process.  We could discuss this component in details filling an entire book; however want to highlight only a few relevant screws.
    • Ensure sufficient system resources
    • Properly running DNS (primary name resolution of Windows Server 2003)
    • Monitor your domain controller – especially during peak logon times

      All of the above components have an impact on the logon process, therefore, know what is happening there.

  • User Profiles & GPOs.  User profiles provide a user their “personalized” environment depending on the user profile strategy, which again has a huge impact on logon times.
    • Roaming Profiles provide maximum personalization such as nice wallpapers, saving files on the desktop (especially large files), etc., however can also get quickly out of control if not restricted by certain policies.  Therefore, it is crucial to define a user profile strategy first before starting with any optimization.
    • An ideal profile solution is a Mandatory Profile customized by an administrator that does not allow any personalization by users since it discards any changes applied during runtime.  This is a stable solution however this will probably not meet all users’ expectations.
    • A hybrid solution provided by Citrix User Profile Manager, which is based on the recently acquired technology from sepago called sepagoPROFILE.  The biggest advantage of this solution is that users gain a certain degree of personalization (pre-defined by an administrator) while keeping the stability and slimness of a mandatory profile that ensures a fast logon process.  Other similar solutions are provided by partners such as AppSense, RES, and tricerat.
    • Placement of user profiles may also affect the logon process since any additional network hop, procedures to locate the file server (e.g. DNS) as well the file servers’ utilization can delay logon times.  A possible improvement with mandatory profiles is storing them locally on a XenApp to avoid network copy jobs.
  • Group Policies.  Provide administrators a way to control an Active Directory-based environment.  However, they should be used carefully by reducing it to a minimum set of required group policies, because each policy needs to be processed during logon extending again the logon time.  Thereby, the amount of configured settings is more relevant than the amount of group policy objects.  In order to ensure fast logon times, consider the following:
    • Do not configure unnecessary settings
    • Disable not required settings (e.g. applying solely user specific settings does not require the processing of computer specific settings)
    • Import only required ADM files

Once group policies have been created, you should analyze these with the tool GPResult or RSoP to check for duplicate or conflicting settings.

  • Anti-Virus software.  Today, there is almost no XenApp or XenDesktop environment without Anti-Virus software.  Taking this into account, usually the default configuration is applied, which may be not appropriate and can lead to a delayed logon process.  Therefore, the following configuration settings are recommended:
    • Scan on Write only
    • Scan only local drives
    • Exclusion of .DAT files

Another performance enhancement can be achieved if an organization’s security guidelines permit to scan only files with executable code.  Further details can be found in article CTX114522.

  •  Other possible areas.  Besides the above listed areas and others not covered in this blog, the following are relevant as well:
    • Mapping of client resources such as printers, local drives, audio, COM or LPT-Port – usually the user has access to its desktop once these have been mapped
    • Number of concurrent logons – the amount of executed processes create load on the Write process to the hard disk such as copying user profiles, mapping client resources etc and can be addressed with faster hard disks or a RAID-Controller with a battery backed-up Read/Write Cache.

Even if user profiles provide the impression of a less complex component of the logon process, they should be considered as part of the architectural planning of a XenApp or a XenDesktop environment since every “cool” function may also lead to a delay in logon times.  Doing so, this will ensure acceptable logon times (with no coffee breaks improving efficiency), happy users, less help desk calls because of corrupted user profiles, and cost savings.

We hope that the discussed tools and techniques give you more insights into the logon process.  Luckily, we have now a tool that we can leverage to use in order to ensure happy users.  Therefore, we can only encourage to test out the Citrix User Profile Manager!

Note:  This content was created by Thomas Berger and Tarkan Koçoglu (both from Citrix Consulting) and has been already published in the German Magazine LANline, Edition April 2008 and the Citrix Newsletter “iPunkt Edition 38, April 2008”