Complete the following tasks before installing and configuring Citrix Provisioning.
Ensure that all Windows updates are current before installing Citrix Provisioning components. Citrix recommends that you reboot after installing all Windows updates.
Select and configure the Microsoft SQL database
Only one database is associated with a farm. You can install the Citrix Provisioning database software on:
- An existing SQL database, if that machine can communicate with all provisioning servers within the farm.
- A new SQL Express database machine, created using SQL Express, which is free from Microsoft.
In a production environment, best practice is to install the database and Citrix Provisioning server component software on separate servers, to avoid poor distribution during load balancing.
The database administrator can create the Citrix Provisioning database. In this case, provide the MS SQL database administrator with the file that is created using the DbScript.exe utility. This utility is installed with the provisioning software.
For information on database sizing, see https://msdn.microsoft.com/en-us/library/ms187445.aspx.
When the database is created, its initial size is 20 MB with a growth size of 10 MB. The database log initial size is 10 MB with a growth size of 10%.
The base amount of space required is 112 KB, which does not change. The base image includes the following:
- DatabaseVersion record requires approximately 32 KB
- Farm record requires approximately 8 KB
- DiskCreate record requires approximately 16 KB
- Notifications require approximately 40 KB
- ServerMapped record requires approximately 16 KB
The variable amount of space required, based on objects, is as follows:
- Access and groupings (each)
- A User group that has access to the system requires approximately 50 KB
- A Site record requires approximately 4 KB
- A Collection requires approximately 10 KB
- FarmView (each)
- FarmView requires approximately 4 KB
- FarmView/Device relationship requires approximately 5 KB
- SiteView (each)
- SiteView requires approximately 4 KB
- SiteView/Device relationship requires approximately 5 KB
- Target device (each)
- A target device requires approximately 2 KB
- DeviceBootstrap requires approximately 10 KB
- Device:Disk relationship requires approximately 35 KB
- Device:Printer relationship requires approximately 1 KB
- DevicePersonality requires approximately 1 KB
- DeviceStatus when a Device boot requires approximately 1 KB
- DeviceCustomProperty requires approximately 2 KB
- Disk (each)
- Unique disk requires approximately 1 KB
- DiskVersion requires approximately 3 KB
- DiskLocator requires approximately 10 KB
- DiskLocatorCustomProperty requires approximately 2 KB
- Provisioning server (each)
- A server requires approximately 5 KB
- ServerIP requires approximately 2 KB
- ServerStatus when a Server boot requires approximately 1 KB
- ServerCustomProperty requires approximately 2 KB
- Store (each)
- Store requires approximately 8 KB
- Store:Server relationship requires approximately 4 KB
- Disk update (each)
- VirtualHostingPool requires approximately 4 KB
- UpdateTask requires approximately 10 KB
- DiskUpdateDevice requires approximately 2 KB
- Each DiskUpdateDevice:Disk relationship requires approximately 35 KB
- Disk:UpdateTask relationship requires approximately 1 KB
The following changes cause the size requirements to increase:
- Each processed task (for example: vDisk versioning merge) requires approximately 2 KB.
- If auditing is turned on, each change made by the administrator in the Citrix Provisioning console, MCLI, or PowerShell interface requires approximately 1 KB.
For Citrix Provisioning to support MS SQL database mirroring, the database needs to be configured with High-safety mode with a witness (synchronous).
If you intend to use the Database Mirroring feature, the SQL native client is required on the server. If the native SQL client does not exist, the option to install SQL native client x64 or x86 is presented when SQL is installed.
For information on how to configure and use database mirroring, see Database mirroring.
To implement database clustering, follow Microsoft’s instructions then run the Citrix Provisioning Configuration wizard. No additional steps are required because the wizard considers the cluster as a single SQL Server.
Citrix Provisioning uses Windows authentication for accessing the database. Microsoft SQL Server authentication is not supported except by the Configuration Wizard.
Configuration wizard user permissions
The following MS SQL permissions are required for the user that is running the Configuration wizard:
- dbcreator for creating the database
- securityadmin for creating the SQL logins for the Stream and SOAP services
If you are using MS SQL Express in a test environment, you can choose to give the user that is running the Configuration wizard sysadmin privileges. These privileges are the highest level for the database.
Alternatively, if the database administrator has provided an empty database, the user running the Configuration wizard must be the owner of the database. Also, the user must have the View any definition permission (set by the database administrator when the empty database is created).
Service account permissions
The user context for the Stream and SOAP services requires the following database permissions:
- Execute permissions on stored procedures
Datareader and Datawriter database roles are configured automatically for the Stream and SOAP Services user account using the Configuration wizard. The Configuration wizard assigns these permissions provided the user has securityadmin permissions. In addition, the service user must have the following system privileges:
- Run as service
- Registry read access
- Access to Program Files\Citrix\Citrix Provisioning
- Read and write access to any vDisk location
Determine which of the following supported user accounts the Stream and SOAP services run under:
Network service account
Minimum privilege local account, which authenticates on the network as a computers domain machine account
Specified user account (required when using a Windows Share), which can be a Workgroup or domain user account
Support for KMS licensing requires the SOAP Server user account to be a member of the local administrators group.
Because authentication is not common in workgroup environments, minimum privilege user accounts must be created on each server, and each instance must have identical credentials.
Determine the appropriate security option to use in this farm (only one option can be selected per farm and the selection you choose impacts role-based administration):
Use Active Directory groups for security (default); select this option if you are on a Windows Domain running Active Directory. This option enables you to use Active Directory for Citrix Provisioning administration roles.
Windows 2,000 Domains are not supported.
Use Windows groups for security. Select this option if you are on a single server or in a Workgroup. This option enables you to use the Local User/Groups on that particular server for Citrix Provisioning administration roles.
Console users do not directly access the database.
Minimum permissions required for more provisioning functionality include:
- Citrix Virtual Apps and Desktops Setup wizard, Streamed VM Setup wizard, and ImageUpdate service
- vCenter, SCVMM, and XenServer minimum permissions
- Permissions for the current user on an existing Citrix Virtual Apps and Desktops controller
- A Citrix Provisioning console user account configured as a XenDesktop administrator and added to a provisioning SiteAdmin group or higher
- Active Directory Create Accounts permission to create accounts in the console. To use existing accounts, Active Directory accounts have to exist in a known OU for selection
- If using personal vDisks with Citrix Virtual Apps and Desktops, the SOAP Server user account must have Citrix Virtual Apps and Desktops full administrator privileges.
- AD account synchronization: create, reset, and delete permissions
- vDisk: Privileges to perform volume maintenance tasks
By default, the Citrix Provisioning console, Imaging wizard, PowerShell snap-in, and MCLI use Kerberos authentication when communicating with the SOAP Service in an Active Directory environment. Part of the Kerberos architecture is for a service to register (create a service principal name, SPN) with the domain controller (Kerberos Key Distribution Center). The registration is essential because it allows Active Directory to identify the account that the SOAP service is running in. If the registration is not performed, the Kerberos authentication fails and Citrix Provisioning falls back to using NTLM authentication.
The Citrix Provisioning SOAP Service registers every time the service starts and unregisters when the service stops. However, the registration fails if the service user account does not have permission. By default, the Network Service account and domain administrators have permission while normal domain user accounts do not.
To work around this permissions issue, do either of the following:
Use a different account that has permissions to create SPNs.
Assign permissions to the service account.
|Computer Account||Write Validated SPN|
|User Account||Write Public Information|