Friday, 25 September 2015

vCenter 5.5 - Unable to Grant Permission to Domain ID - No Domain Listed

One fine day, someone came to me and asked, " I can't add domain users to vCenter. Can you help?" So, when I checked, I found this :

So yes, no domain listed there. So when I asked in detail, it seems this was a new deployment, vCenter just being created. Which really helped me to narrow down to root cause.

Issues :

Unable to Grant Permission to Domain ID - No Domain Listed 

  1. Login to vCenter using default admin ID ( administrator@vSphere.local ). These steps shall be done from Web Console rather than vSphere Client.

  2.  Click at Administration

  3. Click at Single Sign-On > Configuration. So as we can see here, only vSphere.local and vCenterServer (Default) are configured in Identity Sources. It means, these are the only domains which can be authenticated to.

Resolution :
  1.  Click at Add Identity Source.

  2.  Depending on the environment, appropriately choose identity source type. For this example, it is Active Directory  (Integrated Windows Authentication).Key in the Domain Name and all required info.

  3.  Once done, you will see the new source listed here.

  4. Newly added domain will be listed here.

Friday, 18 September 2015

The Trust Relationship Between This Workstation and The Primary Domain Failed

This is one of the common issue happen to PVS environment, IF the environment is not properly configured. The trust relationship will failed, if the password expiration days is  set below than computer account password updates. For example, if you set the password to be expired in 5 days, and computer account password updates set for 7 days, the password will then expired 2 days before renewal. Therefore, either disable password expiration, or properly set these 2 options according to Corporate Security policy.

Issues :

PVS : The Trust Relationship Between This Workstation and The Primary Domain Failed

  1.  Accessed to the VDA, could not authenticate using domain ID. 
  2. Convert the VDA to Private mode / Create new version under Maintenance mode, unjoined and rejoined to domain. Put the VDA to Standard Mode / promote to Production, issue persisted.

Resolution :
  1.  Shut down the target device.

  2.  Right click at it, go to Active Directory > and choose Reset Machine Account Password...

  3.  Correctly choose Domain as well as the Organization Unit, and press Reset Account

  4. Resetting target device

  5.  Target Device successfully reset

  6.  Bring up the target device and try again.

Friday, 11 September 2015

How To : StoreFront Factory Reset / Rejoin Citrix StoreFront to Server Group

In some situations, you may need to unjoin a StoreFront server from an existing server group, and join the server to a different server group. However, after you remove it, there is no option to add it back. You will see this screen at your StoreFront server.

So, what it The easiest way? Reinstall StoreFront!

However, there is another cool way to do this, especially if you want to show off in front of your customers (no, I have never done this), or if you want to flaunt your expertise in front of your juniors (never done this as well).

Description :
StoreFront Factory Reset / Rejoin Citrix StoreFront to Server Group

How To Do :

  1.  Close all opened / active Storefront consoles. You will get error if there is active session. Launch PowerShell as Administrator.

  2.  Type asnp Citrix*

  3.  Browse to %Program Files%\Citrix\Receiver StoreFront\Scripts

  4.  Run ImportModules.ps1

  5.   Modules imported

  6. Run this command : Clear-DSConfiguration

  7. Command completed.

  8.  Close PowerShell, and launch StoreFront. You will get the option to join to existing server group back.

Reference :



    Friday, 4 September 2015

    Disabling drive mapping on Server 2008

    In previous post, I mentioned on how to disable drive mapping on Server 2003 via GPO. In this post, I will show on how to disable drive mapping on server 2008.

    Description :
    Disabling drive mapping on Server 2008

    How To Do :
    1.  Access to GPMC, edit the intended GPO. Browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
    2. Click at ' Do not allow drive redirection '. That is our target setting
    3. Right click at it, and press Edit
    4.  Choose Enabled, press Apply and OK.
    5.  You can double confirm the setting by checking at ICA-TCP and RDP-TCP Properties. They are now checked, and grayed out.

    6. And this is the explanation by Microsoft on the GPO setting.