We recently held our second Ask the Cloud Experts (ACE) meetup. This monthly series focuses on giving you an additional channel to connect with Citrix experts and get answers to your Citrix Cloud questions. This meet-up, on May 14, covered Citrix Profile Management (also known as UPM).
There were a lot of questions, so we’ve broken the transcript of our Q&A into two blog posts (check out Part 1).
Our next ACE meetup is scheduled for Wednesday, June 19. Register today!
If I’m using a file server and want to move profile location to another system like a NAS, what would be the quickest/easiest way of migrating the profile with the least imapct?
This is really an environmental question. What we recommend is pick a time in which you have the least amount of users logged on (a maintenance window is a good example). Use a tool like robocopy a couple weeks in advance to move as much data as possible, have it run during a normal time but a time in which you don’t have too many user load (like in the evening) and have it copy over initially everything and get over. Run the tool again about a week in advance, during a time in which there isn’t as much user load (a maintenance window again would be recommended) so it copies over as much as possible. You could run it once more, depending on the time that it takes to run. If you can get it done during the maintenance window that you’re going to cut the profile solution over in, this would be the best time. This way you make sure users aren’t connected because you may have already rebooted the VDAs to clear off user sessions and you get any last things that are either locked or unable to copy and you have clean copies. Once this is done, change the Path to User Store over to the new location. Log in as yourself (a test user) to make sure it works and after testing, you are good to go.
Note: This question was answered by an experienced Senior Consultant who has performed similar cut overs with DFS replication. He indicated that, in his experience, DFS sometimes exhibits issues and it doesn’t get everything synchronized the way you would expect it to. Therefore, a method like the robocopy one described above is ideal for these scenarios.
Is profile container available for 7.15 cu4? I don’t see this particular settings from GPO Profile Management.
This was released in 1903 so it is not part of LTSR. You have to go to the Current Release for this setting.
What is the purpose of the CPM cross-platform settings policies?
This is not a commonly used setting, but the primary use case for this is to assist with the migration between different operating-system platforms. For instance, you might have a Win7 VDI and want to move to Win10 and want the users to keep their Office settings. From the profile management perspective, we would recommend having a separate profile for every different OS version. But this will also mean that user application settings won’t follow them along. You can specify a particular application and the registry and then have those synchronize between the multiple profiles as part of your migration effort.
Regarding the “delete locally cached profiles on logoff” policy, in which scenarios is it required and when is it not?
In a scenario where you’re using roaming profiles, you will definitely want to delete locally cached profiles. As the profile is copying up, you may have data that doesn’t get copied or there are locked files. Or maybe the user has logged in as an Admin via a different method before (like RDP or other methods that might cache profile data to the server). When roaming profiles, you don’t want any persistency from session to session that’s saved to that local device. This is when when you’d want to select this option.
Regarding performance of profile loading and all other DDC services, is it better to have profiles on a separate file server instead of storing them on the DDC ?
If you’re using a very small environment you probably won’t notice a performance difference. However once you start to hit scale, you will definitely notice a performance issue with logins if your Desktop Delivery Controllers (DDCs) are fairly hot (if you’re using a lot of memory, CPU, or IOPS, whether it is by your Delivery Controllers or by your File Services delivered from that DDC). We do not recommend using the same server for multiple purposes. It is best to split this out, even in labs because you will want to have the ability to turn on/off machines and perform maintenance and other tasks without impacting other functionalities, like profile management. In a large environment, do not coexist infrastructure that should not be together in the same server (whether this is your StoreFront servers, Delivery Controllers, etc.). While this is not as impactful in a lab or test environment, it is always best to mirror production as close as possible to said test environments.
Do you have any recommended tools for measuring logon times, especially for troubleshooting profile corruption (e.g. locked files?)
You can use ProcMon and set up a filter for “file locked” to identify locked files. This is the best tool to use when trying to identify locked files or corruption caused during logon because of this. Citrix Profile Management utilizes a driver that outputs into the log file located in the C:\Windows\System32\LogFiles\UserProfileManager directory. The Operating System identifies when something is locked and reports back to the driver that it couldn’t do what it needed to do. :ooking in the UPM log is not as helpful. You will see “Access Denied.”
Do you recommend enabling the “disable automatic configuration” policy?
This depends on your environment. If you want to configure your profile using specific options for your infrastructure, it is best to disable it and therefore manually specify folder redirection or configurations to guarantee that the look and feel and settings are exactly what you want them to be and not just the defaults.
What are the Citrix recommended tools for CPM troubleshooting and tracing? UPM Troubleshooter or other tools?
We covered details in a previous question, but you can use UPMCheck, Procmon, Perfmon, and UPM logs. Procmon is a good one because you can see what the Operating System is doing. The Citrix profile loads when it’s called by WinLogon. Because this happens during that phase, Procmon can be sorted in a specific way so you can see each interaction and where the most amount of time is occurring. This is really what you want to gather from a technical standpoint if the UPM logs cannot answer your initial questions.
What happens with CPM policies that are set to “not configured”? Which setting becomes effective in this case?
“Not configured” will not be applied to your environment but will keep the “default value.”
What are the main reasons why a temporary profile is created at Citrix user logon?
One of the main causes is that there’s some kind of profile lock (if the profile wasn’t logged out correctly for instance). Another common one is if there’s an issue with the profile path, like if Profile Management is not able to write to that share and then has to revert to a temporary profile. In those scenarios, check the application logs in the Event Viewer. and the UPM log as well.
Do you have any suggestions for using Procmon on VMs that are non-persistent? Are there any blogs on the configuration of Procmon for troubleshooting?
Procmon identifies the executables that are running on the machine. Then it identifies the PID (Process ID), the operation of what it’s trying to do, the results of the operation, and further details from there, including the path. If you see the CitrixProfileManager.exe you can apply filters or open up Tools (Ctrl+T) to open up the Process Tree which is commonly used to identify which part of the profile is going wrong. There aren’t any Citrix specific blogs for this, since this is not a Citrix tool but a Microsoft one. We just use it to identify what our executables or the Operating System are doing. If you’re encountering a specific issue, feel free to open up a case with Citrix Support so that an engineer can help you
What are the minimum IOPS requirements for the latest CPM versions in LTSR and CR releases?
We don’t have minimum requirements. Usually IOPS is based on what a user is doing. So a regular task worker may be consuming 10 IOPS on a manually provisioned VDA per user. If using MCS/PVS and taking advantage of the RAM cache, this would be cut down to 1/2 or 1 IOP or so. The IOPs requirements are also dependent on the version of the server you’re using. For general task users, we’d target about 10-15 per user going up from there. It is good to have more IOPS than less on a server, so purchasing faster storage won’t hurt you from a performance perspective, as opposed to using older spinning disk technology. For profiles, the faster the storage, the faster the load time will be. Therefore, fast storage is essential for profiles.
When User Profile Management is configured via Workspace Environment Management, user profile logins are still slow. Why?
If you are encountering a slowness issue, it’s best to try and identify what the root cause is. We have several tools available that can help you with this. Please see Part 1 for details on the tools available for troubleshooting and options on how to troubleshoot slow logon issues. If you require further assistance, please contact your Cloud Success Manager if you have a cloud entitlement or contact Citrix Support directly for assistance.
Are there any published Citrix best practices regarding CPM, such as recommendations for all GPO objects configuration, depending on the scenario (VDI desktop OS vs SBC server OS VDA)?
You can take a look at this helpful article or if you are a Cloud Customer, please visit the Success Center for guides specific to Policies and Profile Management configuration.
We have seen that Folder Redirection Citrix GPO policies do not work as expected. Therefore we need to configure Microsoft Windows Server native GPO policies in order for folder redirection to work. Is this a known issue/limitation?
The Microsoft and Citrix redirection policies are the same ADMX/ADML policies, so use of either is not an issue for Citrix Profile Manager and is a suitable workaround.
If you were running LTSR, you may wish to test 7.15.4000 to see if the issue was fixed as intended. The last version of the VDA software included an issue with the Desktop and AppData (Roaming) redirections, which was being fixed in the latest version of the VDA software and from there will replicate to the next versions of the VDA software.
Any recommendations to keep redirected folders from growing too large? Are there any group policies that can be set via GPMC to restrict the redirected folders size to a fixed amount (particularly if synchronizing Videos/Music/Images folders)?
Windows Server File Server Resource Manager (FSRM) allows you to set quotas. You can also screen for specific files, such as video files based on file types or other rules set by the administrator. FSRM is an effective tool, but it can add complexity and administrative overhead, especially if you deny writes after the quota is hit. Please consult Microsoft’s documentation on FSRM options for more information.
Can you explain what was mentioned during the initial presentation about the CPM symbolic clinks for handling large files?
Large files in profiles are one of the causes for slow logons and logoffs. To address this, Citrix allows administrators to use symbolic links instead of downloading large files that are part of a user’s profile. To do this, enable the Large File Handling – Files to create as a symbolic links policy and specify the file or files to be handled. Click here for more information.
I have two data centers in the same metro area, and I want a robust fault tolerant profile solution. What’s the best way to configure the profile path?
This is a common configuration for large- and medium-sized deployments. When planning for multiple data centers, it is important to realize that active/active DFS Replication (DFS-R) is not supported. This limits what we can do from a profile solution.
- If the two data centers are well connected (minimal latency 5 ms), we should enable profile streaming and have the user retrieve their profile from a single data center. The problem with this solution is that the profile will only live in one data center, so a technology like clustering will be needed to minimize the risk of downtime during a file server failure.
- The other option is to create a unique profile in each data center. Users can prefer one data center over the other using group membership.
- The last option is to have an active/passive data center with one-way DFS-R from the primary to secondary data center. During a failover scenario, any data written to the DR data center would not be synchronized back to the primary data center. This may be problematic for roaming documents and other specific use cases.
Some storage vendors offer HA solutions for NASs and SANs at different geographic sites. If you opt to go this route, it is essential to test this failover in advance. Citrix Consulting has seen multiple instances where the advertised performance does not match client expectations.
Can you provide a list of third-party solutions that optimize storage/file operations for CPM?
Most often, we recommend Windows File Servers or a NAS solution is used to provide storage for profiles. Microsoft FSRM (File Server Resource Manager) allows for the use of user profile quotas, file screening, file classifications, and storage reports. Some storage vendors also provide features like deduplication and compression.
What is the recommendation for Citrix Profile Management in Linux VDA?
Currently, there is no official support for Linux-based machines and Citrix Profile Management. Because Profile Management configurations involve Windows-specific settings and policies that won’t be applicable to your Linux machines in the first place, if you have Linux machines joined to your Active Directory domain, a separate OU is recommended for these machines.
If you would like to have a centralized place to store Linux user home data, a good alternative you might want to look into involves implementing the use of home directories for these machines by using a Linux-based NFS server. For more information on this, please consult procedures for NFS configuration on your specific Linux flavor.
Please remember that as part of your Cloud subscription, you will be assigned a dedicated Customer Success Manager so make sure to leverage them if you need any additional information, want to join a tech-preview or have specific or follow up questions. Be sure to join us on June 19 for the next ACE Meetup on Networking. Register today!
Thanks for reading!