Horizon View 6.0 Part 3–Desktop Design Considerations

Whether it is Horizon View, XenDesktop, or some other package, the implementation of a virtual desktop environment requires a significant time investment during the design phase.  If care isn’t taken, the wrong design could be put into production, and the costs of fixing it could easily outweigh the benefits of implementing a virtual desktop solution.

So before we move into installing the actual components for a Horizon View environment, we’ll spend the next two posts on design considerations.  This post, Part 3, will discuss design considerations for the Horizon View virtual desktops, and Part 4 will discuss design considerations for Active Directory.

Virtual desktop environments are all about the end user and what they need.  So before you go shopping for storage arrays and servers, you need to start looking at your desktops.

There are three types of desktops in Horizon View 6:

  • Full Clone Desktops – Each desktop is a full virtual machine deployed from a template and managed as an independent virtual machine.
  • Linked Clone Desktop – A linked clone is a desktop that shares its virtual disks with a central replica desktop, and any changes are written to its own delta disk.  Linked clones can be recomposed when the base template is updated or refreshed to a known good state at periodic intervals.  This feature requires Horizon View Composer.
  • Remote Desktop Session Host Pools – Horizon View has supported Windows Terminal Services for multiuser session support in a limited capacity.  Horizon 6 has enhanced the RDSH features to include PCoIP support and application remoting.  When RDSH desktops and/or application remoting are used, multiple users are logged into servers that host user sessions.  This feature requires Windows Server 2008 R2 or Server 2012 R2 with the RDSH features enabled.

There are two desktop assignment types for desktop pools:

  • Dedicated Assignment – users are assigned to a particular desktop during their first login, and they will be logged into this desktop on all subsequent logins.
  • Floating Assignment – users are temporarily assigned to a desktop on each login.  On logout, the desktop will be available for other users to log into.  A user may not get the same desktop on each login.

Unless you have some overriding constraints or requirements imposed upon your virtual desktop project, the desktop design choices that you make will influence and/or drive your subsequent purchases.   For instance, if you’re building virtual desktops to support CAD users, blade servers aren’t an option because high-end graphics cards will be needed, and if you want/need full clone desktops, you won’t invest in a storage array that doesn’t offer deduplication.

There are a couple of areas that need to be considered when designing the virtual desktops:

  • Horizon View Configuration Maximums -  There isn’t an official VMware document that outlines the official configuration maximums for a Horizon View environment.  However, Ray Heffer has that information available on his blog.
  • Applications – What applications are installed on the end-user desktops?  Who uses them?  Do any of the applications have any special hardware or licensing requirements?  Are there any restrictions on who can access or use corporate applications or where they can be accessed from?
  • Management Tools – What desktop management tools exist in the environment?  The lack of a management tool to deploy applications like SCCM or Altiris will make it harder to manage full clone desktops.
  • Physical Desktop Performance – When sizing out the virtual desktops that make up the desktop pools, it’s important to know  how physical desktops are utilizing the resources they have.  This is important for two reasons – it ensures that the virtual desktops are not being overprovisioned with CPU or RAM and that proper reservations and limits are set on the resource pools that the virtual desktops are assigned to.
  • Company Culture – Are users granted admin rights and able to install their own software without asking IT?  Are computers locked down and all applications white-listed?  Or is it somewhere in the middle? Do users already have experience with remote solutions such as Microsoft RDSH desktops or Citrix?  These are important considerations to keep in mind because environments where users have free run of their company computers may reject a centrally managed VDI environment or increase the workload for the IT staff, and staff who have no experience using Citrix or RDSH may have a hard time adjusting to their desktop being remote.
  • Use Case – How are the virtual desktops going to be used?  What problems are they going to solve for the business and the employees?
  • User Profile Data – User specific session settings need to be preserved, especially if you are using non-persistent desktops or RDSH pools.  Microsoft, VMware, and other partners like Liquidware Labs provide tools for profile management.  If persistent desktops are deployed, user data may remain on the virtual machine, and a backup plan will need to be put in place to protect this data.
  • Antivirus and Security – Users will be accessing the Internet from their virtual desktops, so they need to be secured from the myriad of threats out there.  When selecting an antivirus solution for virtual desktops, you need to understand the impact that it will have on I/O when it updates and scans.  You may also want to look at hypervisor-level security solutions using vShield Endpoint.

Once you have answers to these questions, you’ll be able to put together a design document with the following items:

  • Number of linked clone base images and/or full clone templates
  • Number and type of desktop pools
  • Number of desktops per pool
  • Number of Connection and Security Servers needed

If you’re following the methodology that VMware uses in their design exams, your desktop design document should provide you with your conceptual and logical designs.

Once you have a desktop design document,  you’ll be able to start the infrastructure design.  This phase would cover the physical hardware to run the virtual desktop environment, the network layer, storage fabric, and other infrastructure services such as antivirus.

The desktop design document will have a heavy influence on the decisions that are made when selecting components to implement Horizon View 6.  The components that are selected need to support and enable the type of desktop environment that you want to run.

In part four, we will cover Active Directory design for Horizon View environments.

Horizon View 6.0 Part 2 – Prerequisites and System Requirements

In order to deliver virtual desktops to end users, a Horizon View environment requires multiple components working together in concert.  Most of the components that Horizon View relies upon are VMware products, but some of the components, such as the database and Active Directory, are 3rd-party products.

What components does a Horizon View environment need, and what are the system requirements for these components? 

The Basics

The smallest Horizon View environment only requires four components to serve virtual desktops to end users: ESXi, vCenter, a View Connection Server, and Active Directory.  The hardware for this type of environment doesn’t need to be anything special, and one server with direct attached storage and enough RAM could support a few users.

All View environments, from the simple one above to a complex multi-site Cloud Pod environment, are built on this foundation.  The core of this foundation is the View Connection Server.

Connection Servers are the broker for the environment.  They handle desktop provisioning and user authentication and access.  There are two types of Connection Servers – Standard Connection Servers and Replica Connection Servers.  Both types of Connection Servers have the same feature set, and the only difference between the two is that the standard server is the first connection server in the environment.

Connection Servers can also manage access to multiuser desktops and published applications on Remote Desktop Session Host servers.

The requirements for a Connection Server are:

  • 2 CPU
  • Minimum 4GB RAM, 10GB recommended if 50 or more users are connecting
  • Windows Server 2008 R2 or Windows Server 2012 R2
  • Joined to an Active Directory domain
Note: The requirements for the View Security Server are the same as the requirements for View Connection Server minus being joined to an Active Directory domain. 

Aside from the latest version of the View Connection Server, the requirements are:

ESXi – ESXi is required for hosting the virtual machine The versions of ESXi that are supported by Horizon View 6 can be found in the VMware compatibility matrix.  All versions of ESXi 5.1 and ESXi 5.5 Update 1 are supported, but ESXi 5.5 without Update 1 is not supported.

vCenter Server – The versions of vCenter that are supported by Horizon View 6 can be found in the VMware compatibility matrix.  All versions of vCenter 5.1 and vCenter 5.5 Update 1 are supported, but vCenter 5.5 without Update 1 is not supported.  The vCenter Server Appliance and the Windows vCenter Server application are supported.

Active Directory – An Active Directory environment is required to handle user authentication to virtual desktops, and Group Policy is used to configure a number of user profile, virtual desktop and PCoIP settings.  The Server 2008 domain functional level and above are supported.

Advanced Features

Horizon View has a lot of features, and many of those features require additional components to take advantage of them.  These components add options like secure remote access, profile management, and linked-clone desktops.

Secure Remote Access – Remote access to virtual desktops and published applications is handled by the View Security Server.  The Security Server is designed to sit in the DMZ and relay or proxy connections to the Connection Server that it is paired with.  Security Servers do not need to be joined to a domain, and they have the same system requirements as a Connection Server.

Linked-Clone Desktops – Linked Clones are virtual machines that share a set of parent disks.  They are ideal for some virtual desktop environments because they can provide a large number of desktops without having to invest in new storage technologies, and they can reduce the amount of work that IT needs to do to maintain the environment.  Linked Clones are enabled by View Composer.

The requirements for View Composer are:

  • 2 CPUs
  • 4 GB RAM, 8GB required for deployments of 50 or more desktops
  • Windows Server 2008 R2 or Server 2012 R2
  • Database server – supported databases include Oracle and Microsoft SQL Server.  Please check the compatibility matrix for specific versions and service packs.

Persona Management – A user’s settings need to roam with them when they are in an environment with non-persistent desktops.  Persona Management is VMware’s answer to that by storing the full user profile in a central network location and loading it when the user logs in.  In some ways, it is like Roaming Profiles on steroids, and it works with Folder Redirection.

Networking

Horizon View requires a number of different ports to be opened in the Windows firewall as well as the firewalls between untrusted and trusted zones in the network.   Rather than write a long table with all of these ports like I intended, I’ll link to a nice graphic put together by VMware that maps it all out.

The original image, along with a detailed explanation of the map, can be found in Ray Heffer’s post on the VMware Blog site.

Horizon View 6.0 Part 1–What’s New and Improved

Back in April, VMware announced Horizon View 6.0 during a special End-User Computing webinar.  The announcement heralded some major feature additions to the desktop virtualization suite including Remote Desktop Session Host support for application publishing and support for multi-datacenter environments with the Cloud Pod Architecture.

This release has been eagerly awaited, and it finally was released to general availability on June 19th.  It is now available for download on VMware’s website.

The Series

Like my last series on View 5.3, this series will cover the installation of the Horizon View components and related infrastructure.  The topics will be similar to the last series, and I will be creating a landing page for all posts in this series.

What’s New

VMware promised a lot of changes and improvements with Horizon View 6, and they’ve delivered.  There are a number of features that the community has been asking for, and a few less popular options have been removed from the product.

Some of the new features are:

  • Remote Desktop Session Host Support – Horizon View 6 now supports multiuser sessions on Remote Desktop Session Host servers using PCoIP
  • Application Publishing – The expanded support for RDSH also allows for application publishing from RDSH servers.  This feature was missing from previous versions of the Horizon Suite and frequently requested.
  • Cloud Pod Architecture – Larger environments with multiple datacenters had to manage the View environment in each datacenter separately.  Cloud Pod architecture allows administrators to manage up to 20,000 desktops in four pods in two datacenters as one environment.
  • Full Server 2012 R2 Support for all View Server Components
  • Remote Experience Agent is now integrated into the Horizon View desktop agent and does not require a separate installer
  • Feature Pack 1 is now fully integrated into the View Server installer and does not require a separate installer.
  • Space Reclamation supported on Windows 8 and Windows 8.1 Linked Clone Desktops
  • Persona Management supported on Windows 8.1 and Server 2008 R2 desktops. Note: Persona Management is not supported on multiuser RDSH sessions
  • Blast can now support up to 800 connections per Connection Server/Security Server combination.

One of the biggest changes, though, is a feature that is not included in Horizon View 6.  VMware has ended support for Local Mode desktops,  and this feature was not included with this release.  VMware will be utilizing Mirage to provide similar capabilities as local mode going forward.

If you’re interested in learning more about the additions and changes to Horizon View 6, you can check out the Release Notes here.

The next couple of posts in this series will review the architecture of Horizon View 6 and the components that are in the environment.

Sexism, Bro Culture, and IT – Thoughts on A Recent Advertising Campaign

On June 4th, 1919, the United States Senate passed what would go on to become the 19th Amendment to the US Constitution, which granted sufferage to women, by a vote of 56 yeas to 25 nays.  It would take more than a year to officially become part of the Constitution.

History, it seems, is not without a sense of irony.  Yesterday, Nutanix launched a new ad campaign called nixVblock.  This campaign, which should have highlighted the advantages of their product over the VCE converged infrastructure, instead veered into “Bro Culture” territory with “high brow humor” that is normally reserved for locker rooms, fraternity houses, and lite beer commercials.

The primary characters of the nixVblock ads are an IT guy named Doug and his “date” Vicky Block, who goes by VBlock for short.  While Doug is characterized as your average IT infrastructure engineer, “VBlock” is supposed to be an uninteresting, high maintenance woman who hears three voices in her head and dresses like three separate people.

The “VBlock” character is supposed to represent the negatives of the competing VCE vBlock product.  Instead, it comes off as the negative stereotype of a crazy ex that has been cranked past 11 into offensive territory.

When I saw the videos, I was offended.  These videos were laden with unfortunate implications (warning: TV Tropes link), and they hit a lot of my berserk buttons (warning: another TV Tropes link).  I found them to be both sexist and insulting to those suffering from mental illness.  These negatives completely overshadowed any positives that I might have picked up about their product.

But most of all, I’m disappointed.  Nutanix has great technology and some of the smartest people in tech working for them.  They didn’t need to stoop to this level, and this ad campaign showed a complete lack of awareness for current events.

In the last couple of weeks, we’ve had the following:

You’d think that someone, somewhere in the company, would have seen these and thought “Maybe this is a bad idea.  Maybe we should scrap these videos.”

Obviously, that did not happen.

It’s 2014.  Why do we need to continue to perpetuate sexism in IT?

Note: Nutanix appears to have pulled the videos from the nixvblock website prior to this post.

Exam Experience Recap – VCAP Desktop Administrator

On Tuesday, May 20th, I sat for the VCAP Desktop Administrator Exam in Milwaukee.  The exam covers a broad range of topics on Horizon View, Persona Management, and other related infrastructure components such as Group Policy.  Although I don’t work with View on a daily basis anymore, I wanted to sit for this exam as $work will be starting a Horizon View implementation this summer.

I received the official score report on Thursday night, and I did not pass.  I scored a 278 out of 500.

My exam experience mirrors Jason Shiplett’s first attempt.  I ran into an issue early in the exam that cost me time – time that I could have used to complete a few of the questions that I had in progress when the exam ended.

I didn’t prep as well as I should have before this exam.  I read through the blueprint, and I reviewed Chris Beckett’s VCAP DTA study guides.  Despite these two resources and a lot of hands-on experience with View, I went into the exam with some huge gaps in my knowledge in areas of the product suite that I hadn’t worked with in my lab or a production environment.

Unfortunately, the agreement that I had with my wife was that I would only get one crack at the exam before VMworld, and I will need to wait until August before I can take it again.  That will give me a little more time, though, to work on the areas where I need improvement.

Keys to the Exam

1. Time Management is critical. You have a very short time to complete the 23 questions on the exam.  Spending too much time on one area will hurt you.  You may also need to bounce around between questions.  I tried to use the materials my testing center provided to keep track of where I was.

2. If there is a task that you don’t know how to do, skip it and come back to it later.  You’ll lose too much time if you’re searching the documentation.

3. Hands-on Experience is a Must.  This is a practical exam, and you’re tested on successfully completing tasks.  You won’t be able to pass this exam if you don’t actually put View in a lab and try to work through the blueprint.

4. Read the blueprint and Chris Beckett’s notes that I linked to above.

Horizon View 5.3 Appendix F: Monitoring the View Event Database

One of the nice features of Horizon View 5.3 is the Events Database.  When its configured, the Events Database will collect and store any events from the Horizon View environment.

Unfortunately, VMware never built any notification tools into View to alert administrators when errors occurred and were recorded in the Events database.  There have been workarounds to this using PowerShell or SQL Mail to send database alerts, but this requires a scheduled task or SQL Agent job to ensure that it runs on a regular basis.

There is another option that can be used for Event database alerting.  Chris Halstead (Twitter: @chrisdhalstead) developed a tool called the Horizon View Event Notifier that recently became a VMware Fling. 

The Horizon View Event Notifier is a simple little application that is very easy to set up.  It’s so easy, in fact, that it doesn’t even have an installer – you just create a folder for the application and drag the executable and the config file into a folder and double-click to launch it.

Unfortunately, this simplicity carries a heavy price.  The Event Notifier cannot be run as a scheduled task or service.  It must run interactively, and if the server running the application is rebooted, an administrator will need to log in, restart the application, and then lock the computer or disconnect their session without logging out.  Chris has stated that this is one of the things he hopes to address in the next version of the program.

Configuring the Horizon View Event Notifier

After you’ve finished installing the Event Notifier, it’s time to start configuring it. 

1.  Click the settings tab.

1

2. Fill in the Name, DB Server, Database, Username and password fields.  If you have multiple View pods storing information in the same events database, you may need to enter your table prefix in the Table Prefix field. 

If you are connecting to a SQL Server instance, enter servername\instancename in the DB Server field.

2

3. Click Test Connection to verify that the Event Notifier Application can log into the database.

4. Click Save Changes to save the database information to the config file.

5. Select the type of events that you want to receive email alerts on and then click Save Changes.

3

6. Enter your email server, port number, sender address, and recipient address.

Note: The application does not appear to support email servers that require authentication, such as Gmail, at this time. 

4

7. Click Send Test Email to verify that email alerts work.

8. Click Save changes.

9. Click Start to have the application start monitoring your View Events database.

Note: The application will need to be launched and the start button clicked every time the computer is rebooted.

Do I Need It?

If you don’t have any other form of alerting configured for Horizon View Events, this program will help you maintain a healthy View environment.  It’s saved my bacon a few times when a recompose operation failed and left a pool unusable.  If I this tool hadn’t been in place, I would have had a flock of angry users with no desktops. 

Horizon View 5.3 Appendix E: Converting The View Group Policy Templates to ADMX

VMware View includes a set of Group Policy templates that can be used to centrally manage settings for View desktops and servers.   These templates are required for fine tuning the behavior of a Horizon View environment and the PCoIP and Blast protocols that are used when connecting to desktops.

Brian Suhr recently wrote a great article on how to deploy the Group Policy templates on Petri. 

There is one main drawback to the Group Policy templates that are included with Horizon View – they’re ADM files.  Prior to Windows Server 2008, Group Policy templates were deployed using ADM files.  If a non-standard ADM file was used as part of a Group Policy Object, that ADM file would be included with the group policy object when it is saved onto the domain Sysvol.  This leads to Sysvol bloat and can have a negative impact on Active Directory Replication.

Microsoft addressed this issue with updates to Group Policy in Windows Server 2008.  Server 2008 allowed Administrators to create a network-based “central store” where the new Group Policy template files are stored.  These templates could then be referenced by any workstation or server that was Vista/Server 2008 or newer when authoring or editing Group Policy without having to install them.

Converting the View ADM Files to ADMX

I haven’t found many tools that convert ADM files to ADMX files.  Microsoft has released a free conversion tool, but it didn’t convert the View ADM files properly, and a number of GPO settings did not work after using this tool.

The only other ADM converter tool that I was able to find was Syspro’s ADM Template Editor.  This $60 tool can edit existing ADM templates or convert them to ADMX files.  A 30-day free trial of the ADM Template Editor is available.

The first thing that you will need to do is download, install, and register ADM Template Editor.  Once you have done this, you can start converting the ADM files.

The steps for converting ADM files to ADMX files using the ADM Template Editor are:

1.   Copy the View ADM files to the server or workstation where ADM Template Editor is installed.  On a default installation of View, the ADM files are located in C:\Program Files\VMware\VMware View\Server\Extras\Group Policy on any Connection Server.

Group Policy Files Location

2.  Open ADM Template Editor.

3. To configure ADM Template editor to save new ADMX files directly into your Group Policy Central Store, go to Setup –> General Setup and enter the path to your Group Policy Central Store into the ADMX directory field. 

ADM Convert Pre-Step

Note: If your Active Directory Administrator has not set up a Group Policy Central Store, please refer them to this article.

4. Go to File –> Add Existing ADM file…

ADM Convert 2

5.  Select the ADM files you want to load and click Open.

ADM Convert 3

5.  Go to File –> Convert ADM to ADMX

ADM Convert 4

6.  Select the ADM file(s) you want to convert and click Convert.

ADM Convert 5

7.  The next screen allows you to change metadata before converting the ADM file.   Make any changes as required and then click OK.

ADM Convert 6

8. Go to File –> Save Files.

ADM Convert 7

9. Click Save As

ADM Convert 8

10. Save the files into a directory where you will be able to find them easily.

ADM Convert 9

11. Open the directory where you saved the ADMX files.  Copy the ADMX files and the language folder to your Group Policy Central Store.

Note: The converted Group Policy templates will not be available at remote Active Directory sites until replication occurs.

12. When you create a new Group Policy object, the converted ADMX templates should be available under Administrative Templates.

ADM Convert 11

VMworld Call For Papers Voting Closes Sunday

Voting on the VMworld call for papers submissions closes on Sunday night.  If you’re interested in helping chart the course of this year’s VMworld, you can vote at http://www.vmworld.com/voting.jspa.

If you do plan on voting, I would highly recommend voting for the following session:

Session 1500 – Auto Deploy Deep Dive by Rob Nelson

Rob previously presented on this topic at vBrownbag.

I have two submissions for this year’s conference:

Session 1352 – Automating Horizon View with PowerShell

Session 2690 – Managing Microsoft Active Directory and Exchange with vCenter Orchestrator

I would recommend that you look through the submission catalog if you have time.  There are a lot of good presentation ideas from community members, such as Kendrick Coleman’s “How to Turn a vSphere Administrator into a Goat” and a session by Brian Suhr and Chris Wahl on understanding virtual workloads.

Remember, you only have until Sunday night to vote and influence this year’s VMworld.

Horizon 6 and Profile Management? It’s Not the Big Deal That Some Are Making It Out To be…

When VMware announced Horizon 6 last month, there was a lot of excitement because the Horizon Suite was finally beefing up their Remote Desktop Session Host component to support PCoIP and application publishing.  Shortly after that announcement, word leaked out that Persona Management would not be available for RDSH sessions and published applications.

There seems to be this big misconception that without Persona Management, there will be no way to manage user settings, and companies that wish to overcome this shortcoming will need to utilize a 3rd party product for profile management.  A lot of that misconception revolves around the idea that there should only be one user profile and set of applications settings that apply to the user regardless of what platform the user logs in on.

Disclosure: Horizon 6 is still in beta.  I am not a member of the beta testing team, and I have not used Horizon 6.

There are two arguments being made about the lack of unified profile management in Horizon 6.  The first argument is that without some sort of profile management, users won’t be able to save their application settings.  The article quotes a systems administrator who says, “If you rely on linked clones and want to use [RDSH] published apps, it won’t remember your settings.”

This is not correct.  When setting up an application publishing environment using RDSH, a separate user profile is created for each user on the server, or servers, where the applications are hosted.  That user profile is separate from the user profile that is used when logging into the desktop.  In order to ensure that those settings follow the user if they log into a different server, technologies like roaming profiles and folder redirection are used to store user settings in a central network location.

This ability isn’t an add-on feature, and the ability to do roaming profiles and folder redirection are included with Active Directory as options that can be configured using Group Policy.  Active Directory is a requirement for Horizon environments, so the ability to save and roam settings exists without having to invest in additional products.

The other argument revolves around the idea of a “single, unitary profile” that will be used in both RDSH sessions for application publishing and virtual desktops.  There are a couple of reasons why that this should not be considered a holdup for deploying Horizon 6:

  1. Microsoft’s best practices for roaming profiles (2003 version, 2008 R2 version, RDS Blog) do not recommend using the same profile across multiple platforms, and Microsoft recommends using a different roaming profile for each RDSH farm or platform.
  2. Citrix’s best practices for User Profile Manager, the application that the article above references as providing a single profile across application publishing and virtual desktops, do not recommend using the same profile for multiple platforms or across different versions of Windows.

There are a couple of reasons for this.  The main reason is that there are settings in desktop profiles that don’t apply to servers and vice versa or across different generations of Windows.  There is also the possibility of corruption if a profile is used in multiple places at the same time, and one server can easily overwrite changes to the profile.

Although there may be some cases where application settings may need to roam between an RDSH session and a virtual desktop session, I haven’t encountered any cases where that would be important.  That doesn’t mean those cases don’t exist, but I don’t see a scenario where this would hold up adopting a platform like the article above suggests.

Follow

Get every new post delivered to your Inbox.

Join 571 other followers