AD Group Scope

Some people are having difficulties to differentiate between Universal, Global and Domain Local groups (including me, sometimes).  The table below illustrates the differences between those group scopes.

Some lesson learnt :-

• Global groups can be added to Domain Local groups (from the same domain or crossed-domain), but not vice versa
• For Global groups, you only can add accounts from its domain and its parent Global groups
• In order to add accounts from any domain, you need to have Local Domain groups, Global groups won’t allow you to do so.
• Converting a group to Domain Local, add those crossed-domain users, and convert it back to Global group won’t do the trick.
• Domain Local groups cannot be added to Domain Local groups from any domain except for its domain and the parent.

Group scope	Group can include as members…	Group can be assigned permissions in…	Group scope can be converted to…
Universal	·      Accounts from any domain within the forest in which this Universal Group resides ·      Global groups from any domain within the forest in which this Universal Group resides ·      Universal groups from any domain within the forest in which this Universal Group resides	Any domain or forest	·      Domain local ·      Global (as long as no other universal groups exist as members)
Global	·      Accounts from the same domain as the parent global group ·      Global groups from the same domain as the parent global group	Member permissions can be assigned in any domain	Universal (as long as it is not a member of any other global groups)
Domain local	·      Accounts from any domain ·      Global groups from any domain ·      Universal groups from any domain ·      Domain local groups but only from the same domain as the parent domain local group	Member permissions can be assigned only within the same domain as the parent domain local group	Universal (as long as no other domain local groups exist as members)

Note

The information in this table implies that the domain functional level is set to either Windows 2000 native or Windows Server 2003. When the domain functional level is set to Windows 2000 mixed or Windows Server 2003 interim, security groups with universal scope cannot be created, although distribution groups with universal scope are still permitted.

source : http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

Read More

XTE Service Cannot be Started

Citrix XTE Server service is one of the essential service in Citrix XenApp. it is directly relates to Session Reliability. What is Session Reliability? Please read from here and here. Is Session Reliability Goood? Hmm, read this article and go figure it out. (such a lazy bum of me, huh?)

It might occurred in your environment that XTE Server service can't be started at one server, while the rest are fine. Session Reliability option is enabled from Citrix Console.  So, what's next?  

Issues :

You may received below error when you want to start XTE Server service.

 

Troubleshooting 

browse to %programfiles%\Citrix\XTE\Conf, check whether file httpd.conf is existed / is there any content inside the file.

Resolution :

1. Copy the file from server that is working fine. 
   
   

Read More

No Printers Listed in Citrix XenApp Session - ICA-tcp Listener Configuration Error

Users reports that they are not able to perform printing. Services are up and running, but issue still persist, although after you restarted those Printer Spooler and Citrix Print Management services. 

In addition, required Service IDs are properly configured. Users reboot their workstations, but to no avail. So, what is next?


Issues :

• Users may received one or more errors regards to printing. Below are some of the error examples :
  
  

 - or - 

• Meanwhile from server perspective, no printers listed in Printer and Faxes

• Upon checking the services, both Printer Spooler and Citrix Print Management services are started. Issue remains although those services restarted. Required Service ID (ctx_cpsvcuser) is in place.

Troubleshooting 

1. Press Start, hover to Administrative Tools, click at Terminal Service Configuration. Or, press Start, choose run type tscc.msc, and press enter.
   
2. Right click at ICA-tcp listener, and choose Properties
   
3. Inside ICA-tcp Properties, focus on Permission tab. Ensure Service ID ctx_cpsvcuser is listed, with proper permission. If it is not, follow below steps.
   

Resolution :

1. Click at the Advanced button.
   
   
   
2. Click Add... to add new user
   

   
3. Add this user (ctx_cpsvcuser), press Check Names and OK
   \
4. For the Permission Entry, Clear the Logon permission and Add Query Information and Virtual Channels with Allow permission.
5. Ensure you will see the user (ctx_cpsvcuser) added, press Apply and OK.
   
   
6. You will see the ID added to ICA-tcp properties, as below.
   

   

Read More

Cannot Find a Valid Terminal Services License Server

After installing Terminal Services Role to a server, you may want to specify the license server. The Terminal Server will make an attempt to locate the Terminal Service License servers first, before make an attempt to follow automatic license server discovery process. You may see below balloon :

Note that this is for Windows Server 2008. For Windows Server 2003, please go to here.

Description :

• You want to specify Terminal Services License server, so Terminal Services role can be used by servers.

How To Do :

1. Go to Start > Administrative Tools > Terminal Services > Terminal Services Configuration. Or you can type tscc.msc in Run box.
   
   
   
2. Right click at License server discovery mode, and click at Properties.
   
   
   

Read More

How To Auto-Create and Configure ctx_cpsvcuser

As mentioned in previous post,  ctx_cpsvcuser can be created and configured with a tool, but it is limited to certain Citrix XenApp versions only :

• Feature Pack 1 for Presentation Server 4.5
• Presentation Server 4.5 for Windows Server 2003
• Presentation Server 4.5 for Windows Server 2003 x64 Edition
• XenApp 5.0 for Windows Server 2003 x64
• XenApp 5.0 for Windows Server 2003 x86

Description :

• Using tool to create Service ID ctx_cpsvcuser in Citrix XenApp servers.

How To Do :

1. Download the re-creation tool here.
2. Upload the files to Citrix server.
3. Run command prompt, browse to the uploaded folder, and run below command.

   

   32-bit : CtxCpsvc10.exe –install | 64-bit : CtxCpsvc10_x64.exe –install

   
   
4. once done, double check the Citrix Print Management service. Ensure it can be started and set to Automatic.

Reference :

• http://support.citrix.com/article/CTX113554/

Read More

No Printers Listed in Citrix XenApp Session - Required Service IDs Missing

Previously we talked about printing issue due to missing service / services not started. However, there is another possibility of printing issue to occur, which related to required Service IDs. From Citrix technical article, below IDs are needed and must be configured accordingly.

Account Name	Permissions	Notes
Local Service	Minimal	NT AUTHORITY\LocalService
Network Service	Minimal, network resources	NT AUTHORITY\NetworkService
Local System	Administrator	NT AUTHORITY\System
ctx_cpsvcuser	Domain or local user	Acts as a power user
Ctx_StreamingSvc	Domain or local user	Acts as a user
Ctx_ConfigMgr	Domain or local user	Acts as a power user
Ctx_CpuUser	Domain or local user	Acts as a user

Issues :

• Users may received one or more errors regards to printing. Below are some of the error examples :
  
  

 - or - 

• Meanwhile from server perspective, no printers listed in Printer and Faxes

• Upon checking the services, both Printer Spooler and Citrix Print Management services are started. Issue remains although those services restarted.

Troubleshooting 

1. Right click at My Computer, and click at Manage
   
   
   
2. From Computer Management Console, browse to Local Users and Groups > Groups and check whether required Service IDs for both Power Users and Users local group are properly configured.

No required Service IDs configured. It might be accidentally removed by Admin / Monitoring System.

Resolution :

• Add required Service IDs to their respective groups.

Needed IDs : ctx_cpuuser & Ctx_StreamingSvc

 

Needed IDs : ctx_cpsvcuser & Ctx_ConfigMgr

Read More

No Printers Listed in Citrix XenApp Session - Citrix Print Management Service Not Listed

Printing is one of our important tasks in office. Those documents could be cinema online tickets, flights boarding pass, La Liga timetable... oh, all of those are not office-related. Nevertheless, we still need to print officer documents.. erm, resume for interviews, perhaps? =D

This post is to discuss of one possible issue, Citrix Print Management and Printer Spooler Services. Other possible issues will be discussed in other posts. I don't want to make this posts too lengthy (come on, just admit you are too lazy, Heiry...)



Issues :

• Users may received one or more errors regards to printing. Below are some of the error examples :
  
  

 - or - 

• Meanwhile from server perspective, no printers listed in Printer and Faxes

Troubleshooting 

1. Right click at My Computer, and click at Manage
   
   
   
   
   
2. From Computer Management Console, go to Services. Check whether those services are Started / Not Started / Not listed in Services. In below screenshot, Citrix Print Management service is not registered.

Resolution :

• If those Services are not started, re-start them.
• if Citrix Print Management Service is not listed, re-register the service by following below steps. 

1. Run CMD, and browse to %ProgramFiles%\Citrix\System32
   
2. Run below command
   
   cpsvc.exe -install

Read More