VDA Registration: Multiple Forests with 2 way or 1 way trusts (external trusts or forest trusts)

The following diagram illustrates XenDesktop deployment in a Multi-Forest Deployment. This is where the DDC is in a different Active Directory forest and the end users and desktops can be either in the same forest or in a separate Active Directory forest.

Note: For Forest trusts, both Forests must be in Win2003 Forest Functional Level.

User-added image

The preceding illustration shows two separate Active Directory forest with a two-way forest trust. DDC and Users are in the same forest (parent.local) but the VDAs are located in different forest (parent2.local).

For successful VDA registration with the DDC, the following must be configured correctly:

DNS, for name and reverse lookups. Depending on the approach taken, the use of DNS Forwarders and Conditional Forwarders, Forward /Reverse lookup zones and Stub zones are all acceptable for name lookup/resolution. As an example, in the preceding illustration, on the DNS server for Parent.local, a Secondary Forward Lookup Zone and a Reverse Lookup zone for Parent2.local has been added and similarly the opposite has been done on the Parent2.local. This means that the DDC should now be able to resolve the VDA by name and IP and the VDA resolves the DDC by name and IP address.

SeeManaging a Forward Lookup Zonefor information on managing Lookup Zones.

On theDesktop Delivery Controller, enable the following registry value on the DDC. This enables support for VDAs, which are located in separate forests:HKEY_LOCAL_MACHINESoftwareCitrixDesktopServerSupportMultipleForest (REG_DWORD)

User-added image

To enable VDAs located in separate forests; this value must be present and set to 1.

After changing the SupportMultipleForest value, you must restart the Citrix Broker Service for the changes to have an effect.

On theVirtual Desktop Agent, enable the following registry value on the VDA to enable support for DDCs located in a separate forest.

  • For a 32-bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentSupportMultipleForest (REG_DWORD)

  • For a 64-bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentSupportMultipleForest (REG_DWORD)

To enable support for DDCs located in a separate forest; this value must be present and set to 1.

Note: The next step is only required if External Trusts are only being used.

  1. If the Active Directory FQDN does not match the DNS FQDN or if the domain where the DDC resides has a different NetBIOS name to that of the Active Directory FQDN, you must add the following registry key on the Virtual Desktop Agent machine.
    • For a 32-bit VDA: HKEY_LOCAL_MACHINESoftwareCitrixVirtualDesktopAgentListOfSIDs
    • For a 64-bit VDA: HKEY_LOCAL_MACHINESoftwareWow6432NodeCitrixVirtualDesktopAgentListOfSIDs
    • User-added image

The ListOfSIDs registry key contains the DOMAIN SID of the DDC. By using this key, DNS lookups are using the true DNS name of the DDC.

To obtain the correct domain SID of the DDC, the domain SID can be found in the results of the PowerShell cmdlet Get-BrokerController from an elevated PowerShell prompt on the delivery controller.

Note: You must restart the Citrix Desktop Service for the changes to have an effect.


My ip blocklisted

I need a solution

I am use https://ipremoval.sms.symantec.com/ to remove ip, but nothing.

refused to talk to me: 554 5.7.1 You are not allowed to connect. Your mail server might be on Symantec Global Bad Senders list

The complete IP check for sending Mailservers
Data of the received email
Receiving timestamp (UTC):    2019-09-12 11:15:04    Sender IP:
Sender HELO:    aleph.jarve.edu.ee    Sender address:    kalle@jarve.edu.ee
From address:    Kalle Raidma <kalle@jarve.edu.ee>
Receiver address:    6a8f07f984bdd631d7064564e6f9fcdf1660d6fa@multirbl.valli.org
rDNS for IP    
IP Addresses (A or AAAA records) for aleph.jarve.edu.ee
At least one IP address of the DNS lookup for aleph.jarve.edu.ee matches the original IP    OK
The HELO/EHLO string “aleph.jarve.edu.ee” is a valid host- or domainname    OK
IP Addresses for “aleph.jarve.edu.ee”
At least one IP address of the DNS lookup for “aleph.jarve.edu.ee” matches to the connecting IP    OK
The HELO/EHLO string “aleph.jarve.edu.ee” matches to one of the names in the rDNS from connecting IP    OK
Sender Address Tests
The Sender address “kalle@jarve.edu.ee” is a valid email address    OK
MX, A or AAAA record of the Sender domain “jarve.edu.ee”    
aleph.jarve.edu.ee (pref=10)
IP Addresses for aleph.jarve.edu.ee
DNSBL Blacklist Test Summary    287 of 287 tests done.
Results    Not listed: 275    Blacklisted: 0    Brownlisted: 0    Yellowlisted: 0    Whitelisted: 0    Neutrallisted: 0    Failed: 12
Processing    All done
DNSBL Combinedlist Test Summary    21 of 21 tests done.
Results    Not listed: 18    Blacklisted: 0    Brownlisted: 0    Yellowlisted: 0    Whitelisted: 0    Neutrallisted: 2    Failed: 1
Processing    All done
DNSBL Whitelist Test Summary    37 of 37 tests done.
Results    Not listed: 37    Blacklisted: 0    Brownlisted: 0    Yellowlisted: 0    Whitelisted: 0    Neutrallisted: 0    Failed: 0
Processing    All done
DNSBL Informationallist Test Summary    15 of 15 tests done.
Results    Not listed: 6    Blacklisted: 0    Brownlisted: 0    Yellowlisted: 0    Whitelisted: 0    Neutrallisted: 9    Failed: 0
Processing    All done



How to Enable NetScaler Appliance to Use DNS for Resolving the Hostnames to IP Addresses

This article describes how to enable a NetScaler appliance to use the Domain Name System (DNS) for resolving the hostnames to its respective IP addresses.

You will require an SSH utility to access the command line interface of the NetScaler appliance.

By default, the NetScaler appliance cannot resolve the hostnames to its respective IP addresses. You must complete the following tasks to enable the name resolution on the NetScaler appliance:

  • Define name servers
  • Define a DNS suffix

When you enable the NetScaler appliance to use DNS for resolving the hostnames to its respective IP addresses, consider the following points:

  • You must perform the DNS lookup from the command line interface of the NetScaler appliance. If you perform the DNS lookups from the shell prompt of the FreeBSD operating system, the lookups fail because the entry in the /etc/resolver.conf file points to the IP address.

  • The following commands are not available in the command line interface of the appliance:

    • host
    • dig
    • getent/MIP
    • nslookup
  • The NetScaler needs to be able to ping the DNS server on its SNIP/MIP otherwise it shows as down. This is important when NetScaler is behind a firewall.


Policy shows failed status when all clients completed successfully

Article Number: 500237 Article Version: 3 Article Type: Break Fix

NetWorker 9.0,NetWorker 9.1,NetWorker 9.2

The NetWorker Management Console (NMC) shows the policy and backup action in a failed state, but expanding the action details shows all the clients were successful. The backup action details shows it completed with an exit code of 1. The show action logs, includes a warning and critical even indicating a virtual machine reverse DNS lookup failed during the workflow. Here is the example output:

MM/DD/YYYY HH:MM:SS [NETWORKER_SERVER] savegrp SYSTEM warning Reverse DNS lookup failed for [NETWORKER_CLIENT]: No such host is known.

MM/DD/YYYY HH:MM:SS [NETWORKER_SERVER] savegrp NSR critical Host ‘[NETWORKER_CLIENT]’ in group ‘[NSR_POLICY]’ is unknown.

The NetWorker server is not able to resolve the IP address of the NetWorker Client. This is typically an indication of the NetWorker client not having a reverse DNS pointer record configured in DNS.

Create a DNS pointer record (PTR) and ensure the DNS server configured for the NetWorker server is able to perform a reverse lookup of the NetWorker client.


EXCEPTION(tcp_error): Request could not be handled

I need a solution

Can any one help me the below issue ?

Our uses have issue when accessing the website  I suspect it’s related to our Bluecoat proxy. Could you help look into this issue?

Missing search bar on the frontpage:

This is the policy trace output

connection: service.name=weixin and whatsapp client.address=X.X.X.X proxy.port=80 client.interface=1:0.1 routing-domain=default
  location-id=0 access_type=unknown
time: 2018-07-26 02:44:52 UTC

  DNS lookup was unrestricted
user: unauthenticated
authentication status=’not_attempted’ authorization status=’not_attempted’
EXCEPTION(tcp_error): Request could not be handled





7022993: GroupWise Mobility 18 Install Fails With Error “Problem Validating GroupWise Server and Credentials”

This document (7022993) is provided subject to the disclaimer at the end of this document.


GroupWise 18

GroupWise Mobility Service 18


During the installation of GroupWise Mobility Server, the installation program will log into the GroupWise Admin Service and do some validation of the certificates….part of that validation is to make sure the hostname of the certificate agrees with a dns lookup against the IP address. If there is a failure, the following information will appear after providing the credentials to login to the GroupWise Admin Program:

GroupWise Adminstration Agent IP address or hostname []
GroupWise Administration Port [9710]:
GroupWise Administration user name [admin]
GroupWise Adminstrator password: **********
Successfully validated GroupWise Server and credentials.
Problem validating GroupWise server and credentials. Exception: hostname ‘ doesn’t match ether of ‘hostname’, ‘’
success = 1
Please check the entries and try again


Make sure that the DNS server that the GroupWise Mobility Server is querying has an entry for the GroupWise Admin Server being connected to during the install. If this is not possible, add an entry to the /etc/hosts file for the Admin Server.

The Mobility Server should have the ability to ping by the hostname in a working environment.


The Mobility Server cannot resolve the IP address to hostname relationship of the GroupWise Admin Server


This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.


SMTP warnings and forwarded impossible email from spam quarantine

I need a solution

Dear Syymantec Support,

I have two problems with the Symantec Message Gateway. First of all, on the mxtoolbox.com the smtp test has two warnings since there is SMG:

Test                                  Result

SMTP Banner Check       Reverse DNS does not match SMTP Banner

SMTP TLS                       Warning – Does not support TLS.

On the other hands, if i want to forward an e-mail from spam quarantine, then i get this message: “Cannot release the message. It has either been released already or a deivery error occurred. Please Check Brigtmail Log for details.”

The Brigtmail Log says: “Feb 20 2018 19:40:07 [http-bio-443-exec-9] [QuarantineManager] ERROR – error.quarantine.unable.release.delivery javax.mail.MessagingExpection: Could not connenct to SMTP host: …. “

I hope you can help solve this problem. Thanks in advance.



Question on IWA Direct realm & Siem configuration

I need a solution

Hi ,

I  was trying to config IWA DIRECT realm on my proxy ASG, when i try to join the domain im getting Domain Join failed error [A bad packet Was recevied from a DNS server,Potentially the requested address doesnt exist.)this is the error im getting , did i missed anything configure?

 i follow the iwa direct realm configuration document, & also im able to resolve the AD  hostanme from my porxy

PRDPXY01#test dns melinfads01.dba.corp
Performing DNS lookup for: melinfads01.dba.corp

Sending A query for melinfads01.dba.corp to

DNS Response data:
Official Host Name: melinfads01.dba.corp
Resolved Addresses:
Cache TTL: 3600, cache MISS
DNS Resolver Response: Success


Error screen shot is attached,

We are using LOGRHYTHM SIEM to integrate with proxy , i use the custom log format (it isnot working) or do i need to use SQID 1 type to integrate with Logrhythm,any kb article is there how to integrate proxy ASG with logrhythm.



Re: Backup SAP HANA via a DDBEA failed


Question to someone familiar with DDBEA. Could you please help me to find out what may cause such error?

I’m trying to configure backup of SAP HANA to Data Domain VE via a Dell EMC Data Domain Boost for Enterprise Applications and ProtectPoint Database Application Agent. Its version is 4.5.1.

Following admin guide, I’ve configured both SAP HANA and DDBEA, but can’t make a backup. It fails with following error in SAP HANA:

Could not start backup for system BBB DBC: [447]: backup could not be completed: [110515] Backint missing software version tag

In DDBEA logs there is not much information which could help to identify root cause of a problem.

The only suspicious messages that I’ve found in LGTOSAPs.debug log are:

(pid = 11321) (11/24/2017 10:33:01 AM) lnm_parms_list_get_type: Entering.(pid = 11321) (11/24/2017 10:33:01 AM) lnm_parms_list_get_type: Exiting with error:The name 'data domain client information' does not correspond to a valid LNM parameter.(pid = 11321) (11/24/2017 10:33:01 AM) lnm_parms_list_check_recognized: Entering.


11/24/17 10:33:01 hdbbackint: 11/24/17 10:33:01.495917 DDP LOG: [2C39:20874C0] ddp_access() failed, Path //SapHana2SPS02/hanaserver.com/1, mode 0 Err: 5004-nfs lookup failed (nfs: No such file or directory)11/24/17 10:33:01 hdbbackint: 11/24/17 10:33:01.495965 fsys_access(/SapHana2SPS02/hanaserver.com/1): Access check for '/SapHana2SPS02/hanaserver.com/1' failed (error number 5004): [11321] [140694879848256] Fri Nov 24 10:33:01 2017ddp_access() failed, Path //SapHana2SPS02/hanaserver.com/1, mode 0 Err: 5004-nfs lookup failed (nfs: No such file or directory).11/24/17 10:33:01 hdbbackint: 11/24/17 10:33:01.495986 dd_free_client_handle: client handle(0x2081780) destroyed for client hanaserver.com.


hdbbackint: 11/24/17 10:33:01.498106 Reverse DNS lookup failed for <ip of my SH server>: Name or service not knownhdbbackint: 11/24/17 10:33:01.498158 Reverse DNS lookup failed for <ip of my SH server>: Name or service not knownhdbbackint: 11/24/17 10:33:01.498176 Reverse DNS lookup failed for <ip of my SH server>: Name or service not known

but it can be successfully ‘nslookup’ed manually.

In hdbbackint<SID>.debug log there are some additional messages. Not sure about them’s importance:

11/24/17 10:32:57 hdbbackint: 11/24/17 10:32:57.427161 No access to file /usr/sbin/lcmap: No such file or directory 

11/24/17 10:33:02 hdbbackint: 11/24/17 10:33:02.439958 Bytes 0x54 0x68 0x65 are not UTF-8 BOM

(pid = 11308) (11/24/2017 10:33:02 AM) #ERROR /usr/sap/BBB/SYS/global/hdb/backint/COMPLETE_DATA_BACKUP_databackup_0_1

The only parameters which I’ve modified in conf file were:







May be I’ve missed something?

Also, “hdbbackintHANA_…” files which are error logs and usually are created in case of errors aren’t created in this case! It’s strange!

I very appreciate possible answers/advices! Thank you in advance!