At the end of March 2023, new versions of the products that make up the Horizon suite were released. (Connection Server, Volume App, DEM, and Unified Access Gateway)
There are several interesting features, below I report the link to each release note.
I bring to your attention the presence of AppVolume in a preview solution related to the use of AppVolume in the Azure environment. (This deployment option is intended for applications packages and not Writable Volumes)
Among the many features of DEM (Dynamic Environment Manager) to manage the roaming of user profiles (especially when we talk about Horizon Pool Instant Clone), there is the possibility to manage the mapping of printers.
Using this feature is tied to using a Printer Server (at least you must specify the path to the printer with a UNC)
So if we need to map printers that are not managed by print server we can do as follows:
Mapping scripts
We create a mapping script and place it in a network share, reachable by all the Instant Clone VDI that must use it.
The script uses two Windows commands, located in the folder: %WINdir%\System32\printing_Admin_Scripts\en-US\
(en-IT depends on the language used on the Windows 10 environment)
cscript %WINdir%\System32\printing_Admin_Scripts\en-US\prnport.vbs -a -r <name of the thing> -h <IP address> -o -raw -n 9100
cscript %WINdir%\System32\printing_Admin_Scripts\en-us\prnmngr.vbs -a -p “<printer name>” -m “< driver to use>” -r “<thing name>”
The share must have the following permissions:
At the share level Everyone FullControl
At the file system level, the group that needs to install the printer must have:
Now we access DEM and configure the part of logon Task
In my case I also impose a condition that only the user fstorni can perform this task
We save everything
At the next logon the user fstorni will map the printer, and we can check from the DEM logs:
While all other users will not be able to map the printer
If you see such an error on the Cluster object of a vSAN (in my case it appeared on two vSAN clusters managed by the same vCenter)
vSphere DRS functionality was impacted due to an unhealthy state vSphere Cluster Service …….
an unhealthy state of the Service cluster
Errors such as the following in the EAM log. vCenter LOG
EAM.log:
2023-01-26T13:16:39.996Z | INFO | vim-monitor | VcListener.java | 131 | Retrying in 10 sec.
2023-01-26T13:16:41.432Z | ERROR | vlsi | DispatcherImpl.java | 468 | Internal server error during dispatch
com.vmware.vim.binding.eam.fault.EamServiceNotInitialized: EAM is still loading from database. Please try again later.
at com.vmware.eam.vmomi.EAMInitRequestFilter.handleBody(EAMInitRequestFilter.java:57) ~[eam-server.jar:?]
at com.vmware.vim.vmomi.server.impl.DispatcherImpl$SingleRequestDispatcher.handleBody(DispatcherImpl.java:373) [vlsi-server.jar:?]
at com.vmware.vim.vmomi.server.impl.DispatcherImpl$SingleRequestDispatcher.dispatch(DispatcherImpl.java:290) [vlsi-server.jar:?]
at com.vmware.vim.vmomi.server.impl.DispatcherImpl.dispatch(DispatcherImpl.java:246) [vlsi-server.jar:?]
at com.vmware.vim.vmomi.server.http.impl.CorrelationDispatcherTask.run(CorrelationDispatcherTask.java:58) [vlsi-server.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_345]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_345]
at java.lang.Thread.run(Thread.java:750) [?:1.8.0_345]
2023-01-26T13:16:50.007Z | INFO | vim-monitor | ExtensionSessionRenewer.java | 190 | [Retry:Login:com.vmware.vim.eam:b55a7f93b59f0f7e] Re-login to vCenter because method: currentTime of managed object: null::ServiceInstance:ServiceInstance failed due to expired client session: null
2023-01-26T13:16:50.007Z | INFO | vim-monitor | OpId.java | 37 | [vim:loginExtensionByCertificate:913aec585658e328] created from [Retry:Login:com.vmware.vim.eam:b55a7f93b59f0f7e]
2023-01-26T13:16:51.440Z | ERROR | vlsi | DispatcherImpl.java | 468 | Internal server error during dispatch
com.vmware.vim.binding.eam.fault.EamServiceNotInitialized: EAM is still loading from database. Please try again later.
And you see the lack of vCLS VMs in the two vSANs
To resolve the anomaly you must proceed as follows:
vCenter Snapshots and Backup
Log in to the vCenter Server Appliance using SSH.
Run this command to enable access the Bash shell:
shell.set --enabled true
Type shell and press Enter.
Run this command to retrieve the vpxd-extension solution user certificate and key:
Note: If this produces the error “Hostname mismatch, certificate is not valid for ‘localhost'”, change ‘localhost’ to the FQDN or IP of the vCenter. The process is checking this value against the SAN entries of the certificate.
Note: The default user and domain is Administrator@vsphere.local. If this was changed during configuration, change the domain to match your environment. When prompted, type in the Administrator@domain.local password.
Restart EAM and start the rest of the services with these commands:
VMware has just released a new version of Horizon 2212. These are some of the features/support introduced:
Horizon 8 version 2212 in conjunction with App Volumes 4 version 2212 introduces Horizon Published Apps on Demand. With this new feature, administrators can use App Volumes applications directly in their instant-clone RDS farms. Now applications can be delivered dynamically to a generic Windows OS as users launch them. This greatly simplifies static image management and gives administrators the ability to reduce their application specific farms. This also brings the Horizon and App Volumes administration consoles closer together, allowing Horizon administrators to add App Volumes Manager servers and entitle applications to users without the need for duplicate entitlements in App Volumes. This feature creates an opportunity to reduce the time-consuming management of application installations on RDS Farms, and enables scenarios such as multiple users being able to use different versions of the same application while logged in to the same RDS Server.
Microsoft MAK licenses are now supported with Instant Clones.
When you create an automated pool of full clone desktops, you can now specify an active directory OU in which computer accounts can be created. Previously, computer accounts would get created in the default OU and administrators would manually move them after pool creation. This feature, which already exists for Instant Clone desktop pools, addresses this pain point for administrators.
Cloud Pod Architecture is supported with IPv6 environments for more security and added address spaces.
Administrators can now generate a CSR configuration file, import a CA-signed certificate to Connection Server, and monitor health of the certificate from Horizon Console.
In some situations, removing an Application of AppVolume may not result correctly, and as a result, the state of applications from the UI may result in deleting and stalling:
In my case, I also have the advantage that they have not remained in cancellation even if the Packages
To perform the cleanup, you must work on the AppVolume Database.
To proceed we must:
Locate the server that hosts the DB.
On an AppVolume server, in 64-bit ODBC, there is an SRVMANAGER entry edit the entry and identify the server’s name and its DB name.
Shut down each server with the App Volume Manager role of the App Volume Manager service.
Connect with SQL Management Studio to AppVolume DB.
Back up your DB.
Using the native SQL tool or third-party backup tools.
Remove the rows corresponding to the application in the dbo.app_products table.
In some situations, it may not be enough the name and then in the removal query we indicate the status that is deleting.
If there are also packages in a state of deleting also proceed with the removal of the corresponding rows that we can find in the dbo table .app_packages.
It often happens to forget the existence of UAG (Unified Access Gateway) in a VMware Horizon infrastructure and consequently also of root and admin passwords.
Let us remember that the UAG is the object of a Horizon infrastructure, exposed to the outside and therefore more subject to informed attacks. So, it is good and right to keep it constantly updated.
So if we forgot the root and admin passwords of our virtual appliance VMWare has the necessary documentation to reset these accounts, which you can find in these links:
Lately, it happened to me on a customer that even if the root user’s password had been reset, he still did not log in, the error was as follows:
The cause of the problem is the deactivation of the root user shell, evidence of this situation is in the /etc/passwd file of the virtual appliance which is thus configured for the root user
(The following commands can be executed by accessing the virtual appliance console in the manner indicated for changing the root user’s password and are available at this link)
cat /etc/passwd
To fix the situation, simply run the following command:
At this point, we restart with the command reboot -f and we will be enabled to access.
In the various maintenance activities of a Horizon infrastructure, it can happen to find VMs of the instant clone chain in an inaccessible state. (Caused by issues on hosts or vCenter such as sudden shutdowns without properly maintaining Horizon Desktop Pools.)
In the VMware Horizon solution there is a tool, from the command line, that allows the cleaning of these objects.
of one of the connection servers of the Horizon infrastructure
The command is iccleanup.cmd
The first step is to connect to the vCenter in question by launching the following command
iccleanup.cmd -vc <fqdn of vCenter> -uid <administrative user>
Once you have entered the password you will have the possibility to list the VMs of the instant clone infrastructures implemented on that vCenter with the LIST command
Or delete objects in an inaccessible state, for example:
With the delete –index 2 command
After the completion of the cleaning, the situation will be as follows:
Until a few weeks, my Home Lab was composed of two physical ESXi nodes (respectively an INTEL NUC NUC8i3BEH and an HP Desktop HP ProDesk 600 G2 DM), with 32 GB of RAM each and 5 TB of total disk.
For my testing activities, especially in VDI (Horizon) and some vSAN (implemented a 2-node cluster to test the operation of Shared Disks for Microsoft clusters) could be enough.
But the desire to test vSphere 8 (vSAN etc …) and the possibility of trying the Kubernetes world was pushing me to evaluate an expansion of my Home LAB ……….
For the RAM I will proceed to evaluate an expansion with an additional 32GB bank
Installation
Updated vCenter to version 8
Installed ESXi version 8 on a USB stick (Using VMware Workstation and installing ESXi from an ISO on my USB stick) and used it to boot from Maxtang.
At this point I encountered the first problem, the two network cards are not compatible… I had to use a USB dongle -> Ethernet and I managed to start everything (Thanks also to the community drivers USB Network Native Driver for ESXi | VMware Flings
I finally added ESXi to my vCenter
First use
The first thing I did was use William Lam’s script to deploy a vSAN 8
I need to find on AppVolume DB the association from User and Application.
I took a look at my APPvolume test DB and I think it looks like this:
In the table dbo.app_assignment_entities I find the mapping:
user (target_id) –> assigning the application (app_assignment_id)
In the dbo.users table I find my users, so from that table I associate the target_id (ID column of the table) to my user:
while in the dbo.app_assignments table I translate the application assignment id (app_assignment_id, in this table it is l’id, found in the dbo.app_assignment_entities table) into the actual application id (app_product_id)
I translate the defined ID of the application (app_product_id) to the name of the application in Table dbo_app_products
I give a practical example my user “Piccoli Brividi” has 3 applications associated so:
In the table dbo.app_assignment_entities I find in column target_id three times the value 2
in the dbo.users table I find that id 2 corresponds to “Piccoli Brividi”
at this point we translate the application, “Piccoli Brividi” has the apps_Assignment_id 9,15 and 16
In the dbo.app_assignments table I find that ID 9 is associated with app_product_id 5, 15 7 and 16 2
I go to the table dba_approducts and find out the name of the applications associated with my user “Piccoli Brividi”
App_product_id (id) 5 –> FoxitWin11
App_product_id (id) 7 –> IBM personal communication
ThinApp is an application virtualization (Agent-Less) solution.
Application virtualization, therefore, the use of ThinApp, allows us to:
Coexist different versions of the same application on the same Operating System
Use Windows 7 and Windows XP applications on Windows 10 and Windows 11 systems and thus simplify the migration from outdated operating systems to a modern OS
Reduce IT support and related Help Desk costs
Increase user mobility
Stream applications
In detail, ThinApp captures the installation of one or more applications (including files and registry keys that are modified) in an ecosystem that looks like a single executable file.
The executable file is portable on other systems (of the same version or different) and we can control the level of interaction with the operating system on which we are going to run the application and with other applications in our system.
ThinApp allows various ways of isolation using a sandbox:
FULL
MERGED
WRITE
During the creation of the virtualized package, we can choose only two of the previous options (MERGE and WRITECOPY) the third (FULL) we can activate by modifying an INI file post-capture of the installation
In the following diagrams, we find the three modes
The Sandbox is our box where changes to the ThinApp package that the end user performs during use can (depending on the isolation mode chosen) be saved.
The sandbox is:
Customizable the path where it resides
Editable in .ini file that generates application capture
Can reside in the same directory as the ThinApp EXE
Can be on a network share
By default is %appdata%\thinstall\application
Each user has his own sandbox
Resetting application configurations is executable by deleting the sandbox
The distribution of a ThinApp is feasible in several ways:
Using a network share and running application streaming
Using it from a USB device
Copying it to your computer
The use of the network share for the distribution of ThinApp packages allows an easy updating of the packages themselves.
