VDA Registration: Multiple Forests with 2 way or 1 way trusts (external trusts or forest trusts)

The following diagram illustrates XenDesktop deployment in a Multi-Forest Deployment. This is where the DDC is in a different Active Directory forest and the end users and desktops can be either in the same forest or in a separate Active Directory forest.

Note: For Forest trusts, both Forests must be in Win2003 Forest Functional Level.

User-added image

The preceding illustration shows two separate Active Directory forest with a two-way forest trust. DDC and Users are in the same forest (parent.local) but the VDAs are located in different forest (parent2.local).

For successful VDA registration with the DDC, the following must be configured correctly:

DNS, for name and reverse lookups. Depending on the approach taken, the use of DNS Forwarders and Conditional Forwarders, Forward /Reverse lookup zones and Stub zones are all acceptable for name lookup/resolution. As an example, in the preceding illustration, on the DNS server for Parent.local, a Secondary Forward Lookup Zone and a Reverse Lookup zone for Parent2.local has been added and similarly the opposite has been done on the Parent2.local. This means that the DDC should now be able to resolve the VDA by name and IP and the VDA resolves the DDC by name and IP address.

SeeManaging a Forward Lookup Zonefor information on managing Lookup Zones.

On theDesktop Delivery Controller, enable the following registry value on the DDC. This enables support for VDAs, which are located in separate forests:HKEY_LOCAL_MACHINESoftwareCitrixDesktopServerSupportMultipleForest (REG_DWORD)

User-added image

To enable VDAs located in separate forests; this value must be present and set to 1.

After changing the SupportMultipleForest value, you must restart the Citrix Broker Service for the changes to have an effect.

On theVirtual Desktop Agent, enable the following registry value on the VDA to enable support for DDCs located in a separate forest.

  • For a 32-bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentSupportMultipleForest (REG_DWORD)

  • For a 64-bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentSupportMultipleForest (REG_DWORD)

To enable support for DDCs located in a separate forest; this value must be present and set to 1.

Note: The next step is only required if External Trusts are only being used.

  1. If the Active Directory FQDN does not match the DNS FQDN or if the domain where the DDC resides has a different NetBIOS name to that of the Active Directory FQDN, you must add the following registry key on the Virtual Desktop Agent machine.
    • For a 32-bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentListOfSIDs
    • For a 64-bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentListOfSIDs
    • User-added image

The ListOfSIDs registry key contains the DOMAIN SID of the DDC. By using this key, DNS lookups are using the true DNS name of the DDC.

To obtain the correct domain SID of the DDC, the domain SID can be found in the results of the PowerShell cmdlet Get-BrokerController from an elevated PowerShell prompt on the delivery controller.

Note: You must restart the Citrix Desktop Service for the changes to have an effect.


Removing IPs from blacklist.

I need a solution


I have repeatedly contacted you through the IP removal tool available at https://ipremoval.sms.symantec.com/ipr/lookup. 

My question is in regards to how long it takes for this request to be processed. Should I expect this to take more than a week? 

I would very much appreciate an answer.

Thank you kindly. 

Best Regards,




SEP 14.2 Unmanaged – Trial License expiration?

I need a solution

Currenlty, I am running SEP 14.2 Unmanaged and would like to know if what will happen to some components if my Trial expires?

I heard that Download Insight or Cloud File Reputation Lookup will be disabled.

But what about Auto-protect? Will Auto-Protect be disabled as well?

Will I still get LiveUpdates as well?

I only need the basic components, especially Auto-Protect. The Cloud File Reputation Lookups not really needed since I do not download a lot of  files or programs on my system.

Have attached a print screen on what might get disabled when the Unmanaged version Trial expires.



TCP small window protection.


Intermittently packet drop in TCP Vserver due to small window protection.


Action plan: We can disable the small window option through nsapimgr command: root@ns# nsapimgr_wr.sh -ys small_window_protection=0 Number of PEs running: 1 Changing Connection startup small window protection from 1 to 0 … Done. Note: nsapimgr are developers specific and these commands needs to be run only under the advice of Citrix Support. Kindly contact Citrix Support before applying any nsapimgr commands. For further information please refer KB: https://support.citrix.com/article/CTX214610

1– How long will the ip/seq no remain in the hash table?

We are storing Initial Receive Sequence (IRS) into hash table. Right now it is not flushed. As long as the entry is rewritten the IRS will be present in hash table.

We have the enhancement – Small Window Protection code revamp opened to address this issue.

But this is not the deciding factor for small window check. Entry in hash table decides whether to probe the client or not. (This is not applicable for HTTP/SSL/SSL TCP service types which do not have probe logic)

– How many entries can be stored on hash table?

We can have 16K entries.

– What if the hash table got full?

As said there is no flush logic. It can be rewritten.


  • No Related Posts

Chain Scripted Lookup Plugins

I need a solution

I’m looking for a way to chain scripted lookup plugins similar to the scenario described in the Symantec_DLP_14.6_Admin_Guide.pdf (pg 1432).

Script #1 performs a lookup using a value passed by configuring Lookup Parameter (e.g. sender-ip).  The output of this plugin will write a new custom attribute value (custom_attribute=value).

Script #2 needs to perform another scripted lookup using the value of custom_attribute as its key.  

Question: How can custom attribute vaules be passed to a custom script lookup plugin.  Similar to how a LDAP plugin can access the attribute mapping (e.g. $custom_attribute$).

I could chain the two scripts together and return multiple attribute=value pairs, but would prefer to implement these as two separate plugins.