Complete the following tasks before installing and configuring Citrix Provisioning.
Ensure that all Windows updates are current before installing Citrix Provisioning components. Citrix recommends that you reboot after installing all Windows updates.
Select and configure the Microsoft SQL database
Each PVS farm has a single database. You can provide the database on either:
- An existing SQL Server or SQL Server Express instance
- A new server running SQL Server or SQL Server Express
All PVS servers in a farm must be able to communicate with the database server.
In a production environment, to avoid poor distribution during load balancing, best practice is to install the database and Citrix Provisioning server component software on separate servers.
The PVS Configuration Wizard can create the database. Alternatively, if you do not have permission to create databases, you can use the DbScript.exe utility to create a SQL script that a database administrator can run to create the PVS database. This utility is installed with the provisioning software.
If you do not have permission to create databases, use DbScript.exe to generate a SQL script for the database administrator to run to create or update the PVS database. Run the script from the Windows command prompt in
C:\Program Files\Citrix\Provisioning Services.
To generate the script to create the database, use this syntax:
DbScript.exe -new <databaseName> <farmName> <siteName> <collectionName> <farmAdminGroup> <adGroupsEnabled> <scriptName> <is2012orHigher>
To generate the script to update the database, enter:
DbScript.exe -upgrade <databaseName> <scriptName>
The commands use these arguments:
<databaseName>— Name of the database to create or update.
<farmName>— Farm name for the new database.
<siteName>— Site name for the new database.
<collectionName>— Collection name for the new database
<farmAdminGroup>— Farm administrator group, specified as a full path.
Note: When you run the configuration wizard, you must be a member of this group (an Active Directory group) to add the PVS servers to the database.
<adGroupsEnabled>— Enable or disable AD groups, specified as Boolean, where
trueenables AD groups and
falsedisables AD groups.
<scriptName>— Name of the script to generate, specified as a full path.
<is2012orHigher>— The release the new database is for, specified as Boolean, where
trueis for 2012 or higher and
falseis for 2008.
This example generates a script to create an empty Citrix Provisioning database called
db1-2. The script is called newDb.sql and is located in
C:\Program Files\Citrix\Provisioning Services> DbScript.exe -new db1-2 Farm1 Site1 Collection1 "test.local/Users/Domain Users" true c:\newDb.sql true
This example generates a script to upgrade the Citrix Provisioning database
test1. The script is called upgrade.sql and, because no path is specified, is located in the directory where the script was run (
C:\Program Files\Citrix\Provisioning Services).
C:\Program Files\Citrix\Provisioning Services>DbScript.exe -upgrade test1 upgrade.sql
For information, see database sizing.
When the database is created, its initial size is 20 MB with a growth size of 10 MB. The database log initial size is 10 MB with a growth size of 10%.
The base amount of space required is 112 KB, which does not change. The base image includes the following:
- DatabaseVersion record requires approximately 32 KB
- Farm record requires approximately 8 KB
- DiskCreate record requires approximately 16 KB
- Notifications require approximately 40 KB
- ServerMapped record requires approximately 16 KB
The variable amount of space required, based on objects, is as follows:
- Access and groupings (each)
- A User group that has access to the system requires approximately 50 KB
- A Site record requires approximately 4 KB
- A Collection requires approximately 10 KB
- FarmView (each)
- FarmView requires approximately 4 KB
- FarmView/Device relationship requires approximately 5 KB
- SiteView (each)
- SiteView requires approximately 4 KB
- SiteView/Device relationship requires approximately 5 KB
- Target device (each)
- A target device requires approximately 2 KB
DeviceBootstraprequires approximately 10 KB
Device:Diskrelationship requires approximately 35 KB
DevicePersonalityrequires approximately 1 KB
DeviceStatuswhen a Device boot requires approximately 1 KB
DeviceCustomPropertyrequires approximately 2 KB
- Disk (each)
- Unique disk requires approximately 1 KB
DiskVersionrequires approximately 3 KB
DiskLocatorrequires approximately 10 KB
DiskLocatorCustomPropertyrequires approximately 2 KB
- Provisioning server (each)
- A server requires approximately 5 KB
ServerIPrequires approximately 2 KB
ServerStatuswhen a Server boot requires approximately 1 KB
ServerCustomPropertyrequires approximately 2 KB
- Store (each)
- Store requires approximately 8 KB
- Store:Server relationship requires approximately 4 KB
- Disk update (each)
VirtualHostingPoolrequires approximately 4 KB
UpdateTaskrequires approximately 10 KB
DiskUpdateDevicerequires approximately 2 KB
DiskUpdateDevice:Diskrelationship requires approximately 35 KB
Disk:UpdateTaskrelationship requires approximately 1 KB
The following changes cause the size requirements to increase:
- Each processed task (for example: Virtual disk versionings merge) requires approximately 2 KB.
- If auditing is turned on, each change made by the administrator in the Citrix Provisioning console, MCLI, or PowerShell interface requires approximately 1 KB.
For Citrix Provisioning to support MS SQL database mirroring, the database needs to be configured with High-safety mode with a witness (synchronous).
When using the Database Mirroring feature, the SQL native client is required on the server. If the native SQL client does not exist, the option to install SQL native client x64 or x86 is presented when SQL is installed.
Be sure to update SQL native client to a version that supports TLS 1.2. For details, see “Client component downloads” in KB3135244 - TLS 1.2 support for Microsoft SQL Server.
For information on how to configure and use database mirroring, see Database mirroring.
To implement database clustering, follow Microsoft’s instructions then run the Citrix Provisioning Configuration wizard. No additional steps are required because the wizard considers the cluster as a single SQL Server.
Citrix Provisioning uses Windows authentication for accessing the database. Microsoft SQL Server authentication is not supported except by the Configuration Wizard.
The following MS SQL permissions are required for the user that is running the Configuration wizard:
dbcreatorfor creating the database
securityadminfor creating the SQL logins for the Stream and SOAP services
If you are using MS SQL Express in a test environment, you can choose to give the user that is running the Configuration wizard
sysadmin privileges, the highest level for the database.
Alternatively, if the database administrator has created an empty database by running the DbScript.exe utility, the user running the Configuration wizard must be the owner of the database. Also, this user must have the View any definition permission. The database administrator sets this permission when the empty database is created.
The user context for the Stream and SOAP services requires the following database permissions:
- Run permissions on stored procedures
Datareader and Datawriter database roles are configured automatically for the Stream and SOAP Services user account using the Configuration wizard. The Configuration wizard assigns these permissions provided the user has security admin permissions. In addition, the service user must have the following system privileges:
- Run as service
- Registry read access
- Access to Program Files\Citrix\Citrix Provisioning
- Read and write access to any virtual disk location
Determine which of the following supported user accounts the Stream and SOAP services run under:
Network service account
Minimum privilege local account, which authenticates on the network as a computers domain machine account
Specified user account (required when using a Windows Share), which can be a Workgroup or domain user account
Support for KMS licensing requires the SOAP Server user account to be a member of the local administrators group.
Authentication is not common in workgroup environments, as a result, minimum privilege user accounts must be created on each server and each instance must have identical credentials.
Determine the appropriate security option to use in this farm. Only one option can be selected per farm and the selection you choose impacts role-based administration. For security options:
Use Active Directory groups for security (default); select this option if you are on a Windows Domain running Active Directory. This option enables you to use Active Directory for Citrix Provisioning administration roles.
Windows 2,000 Domains are not supported.
Use Windows groups for security. Select this option if you are on a single server or in a Workgroup. This option enables you to use the Local User/Groups on that particular server for Citrix Provisioning administration roles.
Console users do not directly access the database.
Minimum permissions required for more provisioning functionality include:
- Citrix Virtual Apps and Desktops Setup wizard, Streamed VM Setup wizard, and ImageUpdate service
- vCenter, SCVMM, and Citrix Hypervisor minimum permissions
- Permissions for the current user on an existing Citrix Virtual Apps and Desktops controller
- A Citrix Provisioning console user account configured as a Citrix Virtual Apps and Desktops administrator added to a provisioning
SiteAdmingroup or higher
- Active Directory Create Accounts permission to create accounts in the console. To use existing accounts, Active Directory accounts have to exist in a known OU for selection
- AD account synchronization: create, reset, and delete permissions
- Virtual disk: Privileges to perform volume maintenance tasks
A service account does not require special AD permissions.
Use the information in this section to establish a remote connection to the SQL server.
- Log into the SQL server using SQL Management Studio.
In the object explorer window, right-click the SQL server and choose Properties:
- In the Object Exploer window, select the Connections node. Under Remote server connections, select or clear the Allow remote connections to this server check box:
After updating the remote server connection:
- In the Start menu, click Start > Microsoft SQL Server version > SQL Server version Configuration Manager. The SQL Server Configuration Manager window appears.
- Expand the option SQL Server Network Configuration. Select Protocols for (your server name). Select TCP/IP and right click. In the contextual menu, choose Enable. Click OK to restart the service.
After restarting the service, change the Start mode. In the SQL Server Configuration Manager window:
- Select SQL Server Services. In the right pane, right-click the SQL Server Browser option to expose a contextual menu.
- Choose Properties.
- In the Service tab, change the Start Mode to Automatic.
- Click OK.
- Select the SQL Server Browser and right-click to expose a contextual menu. Click Start.
- Select the SQL Server Instance Name and right-click to expose a contextual menu. Click Restart.
Use the information in this section to create an exception for SQL Server in environments using Windows Firewall:
- Open the Control panel and select System and Security.
Select Windows Defender Firewall:
Click Allow an app or feature through Windows Defender Firewall. Turn on Windows Firewall:
In the Allow apps to communicate through Windows Defender Firewall window, click Allow another app…:
- In the Add an app screen, click Browse.
Browse to the SQL Service
sqlserver.exeand click Open. The default path to
- SQL 2019 –
C:\Program Files\Microsoft SQL Server\MSSQL15.<SQL Instance Name>\MSSQL\Binn
- SQL 2017 –
C:\Program Files\Microsoft SQL Server\MSSQL14.<SQL Instance Name>\MSSQL\Binn
- SQL 2019 –
- Click Add:
- Repeat steps 4–7 for
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe.
- Click OK.
By default, the Citrix Provisioning console, Imaging wizard, PowerShell snap-in, and MCLI use Kerberos authentication when communicating with the SOAP Service in an Active Directory environment. Part of the Kerberos architecture is for a service to register (create a service principal name, SPN) with the domain controller (Kerberos Key Distribution Center). The registration is essential because it allows Active Directory to identify the account that the SOAP service is running in. If the registration is not performed, the Kerberos authentication fails and Citrix Provisioning falls back to using NTLM authentication.
The Citrix Provisioning SOAP Service registers every time the service starts and unregisters when the service stops. However, the registration fails if the service user account does not have permission. By default, the Network Service account and domain administrators have permission while normal domain user accounts do not.
To work around this permissions issue, do either of the following:
Use a different account that has permissions to create SPNs.
Assign permissions to the service account.
|Write Validated SPN
|Write Public Information