VDA Registration: Multiple Forests with 2 way or 1 way trusts (external trusts or forest trusts)

The following diagram illustrates XenDesktop deployment in a Multi-Forest Deployment. This is where the DDC is in a different Active Directory forest and the end users and desktops can be either in the same forest or in a separate Active Directory forest.

Note: For Forest trusts, both Forests must be in Win2003 Forest Functional Level.

User-added image

The preceding illustration shows two separate Active Directory forest with a two-way forest trust. DDC and Users are in the same forest (parent.local) but the VDAs are located in different forest (parent2.local).

For successful VDA registration with the DDC, the following must be configured correctly:

DNS, for name and reverse lookups. Depending on the approach taken, the use of DNS Forwarders and Conditional Forwarders, Forward /Reverse lookup zones and Stub zones are all acceptable for name lookup/resolution. As an example, in the preceding illustration, on the DNS server for Parent.local, a Secondary Forward Lookup Zone and a Reverse Lookup zone for Parent2.local has been added and similarly the opposite has been done on the Parent2.local. This means that the DDC should now be able to resolve the VDA by name and IP and the VDA resolves the DDC by name and IP address.

SeeManaging a Forward Lookup Zonefor information on managing Lookup Zones.

On theDesktop Delivery Controller, enable the following registry value on the DDC. This enables support for VDAs, which are located in separate forests:HKEY_LOCAL_MACHINESoftwareCitrixDesktopServerSupportMultipleForest (REG_DWORD)

User-added image

To enable VDAs located in separate forests; this value must be present and set to 1.

After changing the SupportMultipleForest value, you must restart the Citrix Broker Service for the changes to have an effect.

On theVirtual Desktop Agent, enable the following registry value on the VDA to enable support for DDCs located in a separate forest.

  • For a 32-bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentSupportMultipleForest (REG_DWORD)

  • For a 64-bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentSupportMultipleForest (REG_DWORD)

To enable support for DDCs located in a separate forest; this value must be present and set to 1.

Note: The next step is only required if External Trusts are only being used.

  1. If the Active Directory FQDN does not match the DNS FQDN or if the domain where the DDC resides has a different NetBIOS name to that of the Active Directory FQDN, you must add the following registry key on the Virtual Desktop Agent machine.
    • For a 32-bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentListOfSIDs
    • For a 64-bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentListOfSIDs
    • User-added image

The ListOfSIDs registry key contains the DOMAIN SID of the DDC. By using this key, DNS lookups are using the true DNS name of the DDC.

To obtain the correct domain SID of the DDC, the domain SID can be found in the results of the PowerShell cmdlet Get-BrokerController from an elevated PowerShell prompt on the delivery controller.

Note: You must restart the Citrix Desktop Service for the changes to have an effect.

Related:

Error: 'Name server already exists' – Unable to add DNS servers in NetScaler

To resolve this issue:

  1. Check if you have DNS Load Balance Virtual Server already added on NetScaler or not.

  2. If yes, we need to remove DNS Load Balance Virtual Server and respective services.

  3. Try to add the nameserver again, you should be able to add it.

  4. On NetScaler we can add either dns nameserver or DNS LB VIP for same DNS server.

  5. You can traverse to System > Networks > IPs and check is there’s a VIP already existing with this IP.

Best way is to run, “sh run | grep <IP Address>” from CLI to find any matching configuration.

If that doesn’t work try warm restarting the NetScaler.

Related:

How multiple domain name work in DNS feature

I need a solution

Hi

I have 6 internal DNS servers which own internal domain names. I have divided the domain name for each DNS server in proxy because it can specify with maximum 8 domain names. My problem is when I add one of my domain in the D group (As picture below), proxy status become warning (In the D group has 1 domain previously) but when I remove it, proxy status become OK. After that I put this one problem domain in the C group, proxy status still OK.

So I decide to put the problem domain name back to group C and run capture packet in proxy. It seems proxy lookup only one domain name in the list and not the problem domain. Then I put the problem domain name in the group D and run capture packet. Proxy lookup the problem domain and status turn warning.

Group C have 7 domain names in the list and Group D has only 1 domain name in the list (This is exclude the problem domain).

I have test lookup A record from my computer for this domain name using all DNS servers and the result is the same.

This is why I wonder how Domains in DNS feature works and not sure the problem I have face is normal behavior of the proxy.

Apologize for bad grammar 🙁

0

1569392681

Related:

Citrix DNS Counters

This article contains information about the newnslog Domain Name Server (DNS) counters and its brief description.

Using the Counters

Log on to the ADC using an SSH client, change to SHELL, navigate to the /var/nslog directory, and then use the ‘nsconmsg’ command to see comprehensive statistics using the different counters available. For the detailed procedure refer to Citrix Blog – NetScaler ‘Counters’ Grab-Bag!.

DNS Counter

The following table lists the newnslog DNS counters with a simple description of the counter

Newnslog Counter

Description

dns_tot_Queries

This counter tracks the total number of DNS queries received.

dns_tot_Answers

This counter tracks the total number of DNS responses received.

dns_tot_aaaaQueries

This counter tracks the total number of AAAA queries received.

dns_tot_aaaaResponses

This counter tracks the total number of AAAA responses received.

dns_tot_aQueries

This counter tracks the total number of A queries received.

dns_tot_aResponses

This counter tracks the total number of A responses received.

dns_tot_nsQueries

This counter tracks the total number of NS queries received.

dns_tot_nsResponses

This counter tracks the total number of NS responses received.

dns_tot_mxQueries

This counter tracks the total number of MX queries received.

dns_tot_mxResponses

This counter tracks the total number of MX responses received.

dns_tot_soaQueries

This counter tracks the total number of SOA queries received.

dns_tot_soaResponses

This counter tracks the total number of SOA responses received.

dns_tot_cnameQueries

This counter tracks the total number of CNAME queries received.

dns_tot_cnameResponses

This counter tracks the total number of CNAME responses received.

dns_tot_ptrQueries

This counter tracks the total number of PTR queries received.

dns_tot_ptrResponses

This counter tracks the total number of PTR responses received.

dns_tot_srvQueries

This counter tracks the total number of SRV queries received.

dns_tot_srvResponses

This counter tracks the total number of SRV responses received.

dns_tot_anyQueries

This counter tracks the total number of ANY queries received.

dns_tot_anyResponses

This counter tracks the total number of ANY responses received.

dns_err_ResponseClassUnsupported

This counter tracks the total number of responses for which response types were unsupported.

dns_err_ResponseTypeUnsupported

This counter tracks the total number of responses for which response type requested was unsupported.

dns_tot_UnsupportedQueries

This counter tracks the total number of requests for which query type requested was unsupported.

dns_err_QueryClassUnsupported

This counter tracks the total number of queries for which query class was unsupported.

dns_err_QueryFormats

This counter tracks the total number of queries whose format was invalid.

dns_err_ResponseFormats

This counter tracks the total number of responses for which there was a format error.

dns_tot_multi_Queries

This counter tracks the total number of Multi Query request received.

dns_err_strayanswers

This counter tracks the total number of stray answers.

dns_tot_cache_flush_called

This counter tracks the total number of times cache was flushed.

dns_tot_cached_entries_flushed

This counter tracks the total number of cache entries flushed.

dns_tot_ServerQueries

This counter tracks the total number of Server queries sent.

dns_tot_ServerResponses

This counter tracks the total number of Server responses received.

dns_err_aaaaNoDomains

This counter tracks the total number of times AAAA record lookup failed.

dns_err_aNoDomains

This counter tracks the total number of times A record lookup failed.

dns_err_nsNoDomains

This counter tracks the total number of times NS record lookup failed.

dns_err_mxNoDomains

This counter tracks the total number of times MX record lookup failed.

dns_err_cnameNoDomains

This counter tracks the total number of times CNAME record lookup failed.

dns_err_soaNoDomains

This counter tracks the total number of times SOA record lookup failed.

dns_tot_aaaa_updates

This counter tracks the total number of AAAA record updates.

dns_err_ptrNoDomains

This counter tracks the total number of times PTR record lookup failed.

dns_err_srvNoDomains

This counter tracks the total number of times SRV record lookup failed.

dns_err_anyNoDomains

This counter tracks the total number of times ANY query lookup failed.

dns_tot_aaaa_updates

This counter tracks the total number of AAAA record updates.

dns_tot_a_updates

This counter tracks the total number of A record updates.

dns_tot_ns_updates

This counter tracks the total number of NS record updates.

dns_tot_mx_updates

This counter tracks the total number of MX record updates.

dns_tot_soa_updates

This counter tracks the total number of SOA record updates.

dns_tot_cname_updates

This counter tracks the total number of CNAME record updates.

dns_tot_ptr_updates

This counter tracks the total number of PTR record updates.

dns_tot_srv_updates

This counter tracks the total number of SRV record updates.

dns_tot_record_updates

This counter tracks the total number of record updates.

dns_err_multiquery_disabled

This counter tracks the total number of times a multi query was disabled and received a multi query.

dns_tot_AuthAnswers

This counter tracks the number of queries which were authoritatively answered.

dns_err_NoDomains

This counter tracks the number of queries for which no record was found.

dns_err_ResponseWithoutAnswers

This counter tracks the number of DNS responses received without answer.

dns_err_ResponseBadLength

This counter tracks the number of DNS responses received with invalid resource data length.

dns_tot_ReqRefusals

This counter tracks the number of DNS requests refused.

dns_tot_OtherErrors

This counter tracks the total number of other errors.

dnsrec_tot_queries

This counter tracks the total number of DNS queries received.

dns_tot_entries

This counter tracks the total number of DNS record entries.

dns_tot_updates

This counter tracks the total number of DNS proactive updates.

dns_tot_Resp

This counter tracks the total number of DNS server responses.

dns_tot_requests

This counter tracks the total number of DNS queries received.

dns_err_limits

This counter tracks the total number of times you have received DNS record with more entries than that you support.

dns_err_RespFormats

This counter tracks the total number of times you have received malformed responses from the backend.

dns_err_AliasExists

This counter tracks the total number of times you have received non-cname record for a domain for which an alias exists.

dns_err_NoDom

This counter tracks the total number of cache misses.

dns_cur_entries

This counter tracks the current number of DNS entries.

dns_cur_records

This counter tracks the current number of DNS Records.

Related:

  • No Related Posts

Can we configure more than one Primary DNS Servers from Proxy SG

I need a solution

Hi All,

Can we configure more than one Primary DNS Servers and Alternate DNS servers from ProxySG S400-30

Ex:

Primary DNS : 10.10.10.10,10.10.10.11,10.10.10.12

AlternateSecondary DNS : 10.10.10.13,10.10.10.15,10.10.10.17

Regards,

Ramu.

0

Related:

How to Enable NetScaler Appliance to Use DNS for Resolving the Hostnames to IP Addresses

This article describes how to enable a NetScaler appliance to use the Domain Name System (DNS) for resolving the hostnames to its respective IP addresses.

You will require an SSH utility to access the command line interface of the NetScaler appliance.

By default, the NetScaler appliance cannot resolve the hostnames to its respective IP addresses. You must complete the following tasks to enable the name resolution on the NetScaler appliance:

  • Define name servers
  • Define a DNS suffix

When you enable the NetScaler appliance to use DNS for resolving the hostnames to its respective IP addresses, consider the following points:

  • You must perform the DNS lookup from the command line interface of the NetScaler appliance. If you perform the DNS lookups from the shell prompt of the FreeBSD operating system, the lookups fail because the entry in the /etc/resolver.conf file points to the 127.0.0.2 IP address.

  • The following commands are not available in the command line interface of the appliance:

    • host
    • dig
    • getent/MIP
    • nslookup
  • The NetScaler needs to be able to ping the DNS server on its SNIP/MIP otherwise it shows as down. This is important when NetScaler is behind a firewall.

Related:

Citrix Response on DNS Flag Day

February 1st 2019 is DNS Flag Day from when multiple public DNS providers and DNS software vendors will not support bad or vulnerable DNS implementations. On or around this date, major open source resolver vendors will release updates that implement stricter EDNS handling. These resolvers will not connect to non-compliant DNS servers.

Is Citrix ADC impacted?

Domains hosted on all Citrix ADC MPX/SDX/VPX appliances in ADNS mode or proxy mode will continue to be accessible after DNS Flag Day without any performance impact.

Citrix ADC can be deployed in multiple modes for DNS traffic and the following table captures the impact in each mode.

Deployment Mode Test Result
DNS proxy mode with caching enabled No impact on domain availability and performance. Overall minor impact is identified due to our approach of EDNS options handling
DNS proxy mode with caching disabled
GSLB mode (zone same as GSLB domain)
ADNS mode with authoritative zone
Load Balancing virtual server with authoritative zone
Resolver mode with authoritative zone
Content Switching with authoritative zone
DNS proxy mode with caching enabled with EDNS Client Subnet enabled on backend server
DNS proxy mode with caching disabled with EDNS Client Subnet enabled on backend server
GSLB with DNSSEC
GSLB with EDNS Client Subnet enabled
DNSSEC enabled ADNS

If you test your application domain in https://dnsflagday.net/ portal, you could get the following result – “Minor problems detected!” (see Appendix A). This is because of our approach of EDNS options handling. It is assured that there will be no impact on domain availability and performance post DNS Flag Day.

Citrix ADC supports EDNS0 on all supported versions – 10.5, 11.0, 11.1, 12.0 and 12.1 – and you shall get the same result i.e. “Minor problems detected!” on all versions, if configured correctly.

We will release a build in future with all required EDNS standards and comply completely.

If you are getting a result other than “All Ok!” or “Minor problems detected!” see next section on Citrix recommendation.

What is Citrix Recommendation?

  • Configure SOA and NS records for the zones you are authoritative for.
  • If Citrix ADC is deployed in proxy mode, configure DNS_TCP type virtual server also. Ensure that this virtual server is up and running.
  • If Citrix ADC is deployed in ADNS mode, configure ADNS_TCP type service also. Ensure that this service is up and running.

See Appendix B to find how to configure these entities on Citrix ADC.

If these steps do not give you a “Minor problems detected!” result, kindly contact Citrix Support.

Example Failure Cases

Some examples of failure cases are given below:

Example 1: Test result: “Fatal error detected!”

Cause: This happens when test tool gets timeout on TCP queries.

Solution: Ensure that DNS_TCP type virtual server (in case of DNS proxy deployment) and ADNS_TCP service (in case of ADNS deployment) are up and running on Citrix ADC.

Example 2: Test result: “Serious problem detected!”

Cause: This is seen in cases when there is some network connectivity issue with the DNS server. Also, the result can change to “Minor problem detected!” intermittently.

Solution: Ensure there is no network connectivity issue with the server and recommended steps above are followed.

Appendix A

Testing domain on https://dnsflagday.net/ can give the following results:

User-added image

Appendix B

Configuring SOA record

CLI: add dns soarec <domain name> -originserver <> -contact <>

GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> DNS -> Records -> SOA Records

Configuring NS record

CLI: add dns nsrec <domain name> <NS record>

GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> DNS -> Records -> Name Server Records

Configuring DNS_TCP type virtual server

CLI: add lb vserver <vserver name> DNS_TCP <IP> 53

GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> Load Balancing -> Virtual Servers

Configuring ADNS_TCP type service

CLI: add service <service name> <IP> ADNS_TCP 53

GUI: Citrix ADC GUI -> Configuration -> Traffic Management -> Load Balancing -> Services

Related:

Re: DMZ connect to a node not to the SC

Hi smeura,

There are some applications that don’t work well with with SmartConnect because of the IP change. I don’t have enough information about your environment to give you advice here, but you could open up a ticket with Isilon for a deeper dive.

There is some information here https://support.emc.com/docu58740 regarding SmartConnect and DMZ but I can’t say whether or not it is applicable to your situation.

SmartConnect usage in isolated network environments

SmartConnect is, effectively, a limited implementation of a custom DNS server: it answers only for the SmartConnect zone names or aliases configured on it. To use SmartConnect in an isolated network environment where no DNS infrastructure is available (such as a DMZ), configure your client systems to use the SmartConnect service IP address as the primary DNS server. Configuring your client systems this way helps to ensure that:

• Requests to connect to Isilon clusters with SmartConnect zone names will succeed.

• The isolated network benefits from SmartConnect features, such as load-balancing and rerouting traffic to prevent unavailable nodes, will work as expected in a normal, non-isolated deployment.

Related:

ADC VPX AWS has a default DNS server that interferes the added DNS server to resolved hostname

The topology is as below, the right one is added to ADC whose effective state shows “up” , the left one is the default DNS server, which is unable to check from show dns nameServer in CLI or Traffic Management–DNS–nameServer in GUI.

when try to resolve the local domain hostname, will returns a failure and the DNS server shows the 172.1.x.x.rather than 172.16.7.1

——————————————————-

dig ad.test.local

……

;; Query time: 1 msec

;; SERVER: 172.1.0.2#53(172.1.x.x)

;; WHEN: Sat Mar 25 03:05:44 2017

;; MSG SIZE rcvd: 48;; Query time: 1 msec

​——————————————————-

but if we assign the 172.16.7.1 or the 127.0.0.2(local default DNS,pointing to the added DNS server) to resolve it, it returns a normal result.

——————————————————-

dig ad.test.local @172.16.7.1

……

;; Query time: 1 msec

;; SERVER: 127.0.0.2#53(127.0.0.2)

;; WHEN: Sat Mar 25 03:05:44 2017

;; MSG SIZE rcvd: 48;; Query time: 1 msec

​——————————————————-

when we check the /etc/resolv.conf , we found that there are 2 DNS server, 172.1.x.x prior to 127.0.0.2,

this is a by design for ADC VPX running on AWS.

Note:- /etc/resolv.conf is on the shell prompt , you can reach shell prompt by typing in shell at ADC prompt(>)

Related: