Pre-installation tasks
You must complete the following tasks before installing and configuring Provisioning Services.
Select and configure the MS SQL database
Only one database is associated with a farm. You can install the Provisioning Services database software on:
- An existing SQL database, if that machine can communicate with all Provisioning Servers within the farm
- A new SQL Express database machine, created using SQL Express, which is free from Microsoft.
In a production environment, best practice is to install the database and Provisioning Server software on separate servers, to avoid poor distribution during load balancing.
The database administrator may prefer to create the Provisioning Services database. In this case, provide the MS SQL database administrator with the file that is created using the DbScript.exe utility. This utility is installed with the Provisioning Services software.
Database sizing
For information on database sizing, see Estimate the Size of a Database.
When the database is created, its initial size is 20 MB with a growth size of 10 MB. The database log initial size is 10 MB with a growth size of 10%.
The base amount of space required is 112 KB, which does not change. This includes the following:
- Database Version record requires approximately 32 KB
- Farm record requires approximately 8 KB
- Disk Create record requires approximately 16 KB
- Notifications require approximately 40 KB
- Server Mapped record requires approximately 16 KB
The variable amount of space required, based on objects, is as follows:
- Access and groupings (each)
- A User group that has access to the system requires approximately 50 KB
- A Site record requires approximately 4 KB
- A Collection requires approximately 10 KB
- Farm View (each)
- Farm View requires approximately 4 KB
- FarmView/Device relationship requires approximately 5 KB
- Site View (each)
- Site View requires approximately 4 KB
- SiteView/Device relationship requires approximately 5 KB
- Target device (each)
- A target device requires approximately 2 KB
- Device Bootstrap requires approximately 10 KB
- Device: Disk relationship requires approximately 35 KB
- Device: Printer relationship requires approximately 1 KB
- Device Personality requires approximately 1 KB
- Device Status when a Device boot requires approximately 1 KB
- DeviceCustomProperty requires approximately 2 KB
- Disk (each)
- Unique disk requires approximately 1 KB
- DiskVersion requires approximately 3 KB
- Disk Locator requires approximately 10 KB
- DiskLocatorCustomProperty requires approximately 2 KB
- Provisioning Server (each)
- A server requires approximately 5 KB
- ServerIP requires approximately 2 KB
- Server Status when a Server boot requires approximately 1 KB
- ServerCustomProperty requires approximately 2 KB
- Store (each)
- Store requires approximately 8 KB
- Store:Server relationship requires approximately 4 KB
- Disk update (each)
- VirtualHostingPool requires approximately 4 KB
- UpdateTask requires approximately 10 KB
- DiskUpdateDevice requires approximately 2 KB
- Each DiskUpdateDevice:Disk relationship requires approximately 35 KB
- Disk:UpdateTask relationship requires approximately 1 KB
The following changes cause the size requirements to increase:
- Each processed task (for example: vDisk versionings merge) requires approximately 2 KB
- If auditing is turned on, each change made by the administrator in the Console, MCLI, or PowerShell interface requires approximately 1 KB
Database mirroring
For Provisioning Services to support MS SQL database mirroring, the database needs to be configured with High-safety mode with a witness (synchronous).
If you intend to use the Database Mirroring feature, the SQL native client is required on the server. If this does not exist, the option to install SQL native client x64 or x86 is presented when SQL is installed.
For information on how to configure and use database mirroring, see Database mirroring.
Database clustering
To implement database clustering, follow Microsoft’s instructions then run the Provisioning Services Configuration wizard. No additional steps are required because the wizard considers the cluster as a single SQL Server.
Configure authentication
Provisioning Services uses Windows authentication for accessing the database. Microsoft SQL Server authentication is not supported except by the Configuration Wizard.
-
Configuration wizard user permissions
The following MS SQL permissions are required for the user that is running the Configuration wizard:
- dbcreator for creating the database
- security admin for creating the SQL logins for the Stream and SOAP services.
If you are using MS SQL Express in a test environment, you can choose to give the user that is running the Configuration wizard sysadmin privileges (the highest database privilege level).
Alternatively, if the database administrator has provided an empty database, the user running the Configuration wizard must be the owner of the database and have the View any definition permission (set by the database administrator when the empty database is created).
Service account permissions
The user context for the Stream and SOAP services requires the following database permissions:
- db_datareader
- db_datawriter
- Execute permissions on stored procedures
Datareader and Datawriter database roles are configured automatically for the Stream and SOAP Services user account using the Configuration wizard. The Configuration wizard assigns these permissions provided the user has security admin permissions. In addition, the service user must have the following system privileges:
- Run as service
- Registry read access
- Access to Program Files\Citrix\Provisioning Services
- Read and write access to any vDisk location
Determine which of the following supported user accounts the Stream and SOAP services run under:
-
Network service account
Minimum privilege local account, which authenticates on the network as a computers domain machine account
-
Specified user account (required when using a Windows Share), which can be a Workgroup or domain user account
Provisioning Services support for KMS licensing requires the SOAP Server user account to be a member of the local administrators group.
Because authentication is not common in workgroup environments, minimum privilege user accounts must be created on each server, and each instance must have identical credentials.
Determine the appropriate security option to use in this farm (only one option can be selected per farm and the selection you choose impacts role-based administration):
- Use Active Directory groups for security (default); select this option if you are on a Windows Domain running Active Directory. This option enables you to use Active Directory for Provisioning Services administration roles. Note: Windows 2,000 Domains are not supported.
- Use Windows groups for security. Select this option if you are on a single server or in a Workgroup. This option enables you to use the Local User/Groups on that particular server for Provisioning Services administration roles.
Console users do not directly access the database.
Minimum permissions required for more Provisioning Services functionality include:
- Provisioning Services XenDesktop Setup wizard, Streamed VM Setup wizard, and ImageUpdate service
- vCenter, SCVMM, and XenServer minimum permissions
- Permissions for the current user on an existing XenDesktop controller
- A Provisioning Services Console user account configured as a XenDesktop administrator and added to a PVS Site Admin group or higher
- Active Directory Create Accounts permission to create accounts in the Console. To use existing accounts, Active Directory accounts have to exist in a known OU for selection
- If using Personal vDisks with XenDesktop, the SOAP Server user account must have XenDesktop Full administrator privileges.
- AD account synchronization: Create, Reset, and Delete permissions
- vDisk: Privileges to perform volume maintenance tasks
Kerberos security
By default, the Provisioning Services Console, Imaging wizard, PowerShell snap-in and MCLI use Kerberos authentication when communicating with the Provisioning Services SOAP Service in an Active Directory environment. Part of the Kerberos architecture is for a service to register (create a service principal name, SPN) with the domain controller (Kerberos Key Distribution Center). The registration is essential because it allows Active Directory to identify the account that the Provisioning Services SOAP service is running in. If the registration is not performed, the Kerberos authentication fails and Provisioning Services falls back to using NTLM authentication.
The Provisioning Services SOAP Service registers every time the service starts and unregisters when the service stops. However, the registration fails if the service user account does not have permission. By default, the Network Service account and domain administrators have permission while normal domain user accounts do not.
To work around this permissions issue, do either of the following:
- Use a different account that has permissions to create SPNs.
- Assign permissions to the service account. | | | | —————- | ———————— | | **Account Type** | **Permission** | | Computer Account | Write Validated SPN | | User Account | Write Public Information |