Monday, September 5, 2011

Citrix Provisioning Server and Active Directory password management

 Most of you know when we provision vDisk using Citrix PVS (Provisioning Services ), PVS should be allowed to manage the machine account password . The reason in nutshell  : vDisk is created using one master image with machine account in domain . Same image is streamed across multiple machine.

How we do this ? This setting is on PVS server setting


But problem start when you have following default Domain policy


Problem : When machine try to negotiate password after 30 days because of PVS setting AD does not allow to do so. Result of which machine goes out of password synch. This kicks machine out domain and Virtual desktop got unregistered from Desktop Delivery controller

This policy as per Citrix PVS eDocs and also one more eDocs suggest to set this to "Enabled". So how you would like to tackle this situation.

1.  If above setting is not followed with password age then you can define  password age policy and apply to OU which is meant for Virtual Desktop.  As shown below for 999 days PVS will enjoy managing provisioned machine password.


2. Windows following Netlogon service tried to negotiate machine password when it expires. This is stored under


3.  If the value is set to "0 " then AD will not allow PVS to negotiate password. Remember this is managed by default  domain controller policy but registry can be overwritten by deploying new registry value. How check this out


If this policy is applied on OU containing VDI then even default domain policy for password can be overwritten. Citrix has also release fix which address similar issue but not exactly the same issue CTX130273.


No comments: