Citrix Provisioning

Pre-installation tasks

Complete the following tasks before installing and configuring Citrix Provisioning.

Important:

Ensure that all Windows updates are current before installing Citrix Provisioning components. Citrix recommends that you reboot after installing all Windows updates.

Select and configure the Microsoft SQL database

Each PVS farm has a single database. You can provide the database on either:

  • An existing SQL Server or SQL Server Express instance
  • A new server running SQL Server or SQL Server Express

All PVS servers in a farm must be able to communicate with the database server.

In a production environment, to avoid poor distribution during load balancing, best practice is to install the database and Citrix Provisioning server component software on separate servers.

The PVS Configuration Wizard can create the database. Alternatively, if you do not have permission to create databases, you can use the DbScript.exe utility to create a SQL script that a database administrator can run to create the PVS database. This utility is installed with the provisioning software.

Run the DbScript.exe utility to create or update the database

If you do not have permission to create databases, use DbScript.exe to generate a SQL script for the database administrator to run to create or update the PVS database. Run the script from the Windows command prompt in C:\Program Files\Citrix\Provisioning Services.

To generate the script to create the database, use this syntax:

DbScript.exe -new <databaseName> <farmName> <siteName> <collectionName> <farmAdminGroup> <adGroupsEnabled> <scriptName> <is2012orHigher>

To generate the script to update the database, enter:

DbScript.exe -upgrade <databaseName> <scriptName>

The commands use these arguments:

  • <databaseName> — Name of the database to create or update.
  • <farmName> — Farm name for the new database.
  • <siteName> — Site name for the new database.
  • <collectionName> — Collection name for the new database
  • <farmAdminGroup> — Farm administrator group, specified as a full path.

    Note: When you run the configuration wizard, you must be a member of this group (an Active Directory group) to add the PVS servers to the database.

  • <adGroupsEnabled> — Enable or disable AD groups, specified as Boolean, where true enables AD groups and false disables AD groups.
  • <scriptName> — Name of the script to generate, specified as a full path.
  • <is2012orHigher> — The release the new database is for, specified as Boolean, where true is for 2012 or higher and false is for 2008.

DbScript.exe examples

This example generates a script to create an empty Citrix Provisioning database called db1-2. The script is called newDb.sql and is located in C:.

C:\Program Files\Citrix\Provisioning Services> DbScript.exe -new db1-2 Farm1 Site1 Collection1 "test.local/Users/Domain Users" true c:\newDb.sql true

This example generates a script to upgrade the Citrix Provisioning database test1. The script is called upgrade.sql and, because no path is specified, is located in the directory where the script was run (C:\Program Files\Citrix\Provisioning Services).

C:\Program Files\Citrix\Provisioning Services>DbScript.exe -upgrade test1 upgrade.sql

Database sizing

For information, see database sizing.

When the database is created, its initial size is 20 MB with a growth size of 10 MB. The database log initial size is 10 MB with a growth size of 10%.

The base amount of space required is 112 KB, which does not change. The base image includes the following:

  • DatabaseVersion record requires approximately 32 KB
  • Farm record requires approximately 8 KB
  • DiskCreate record requires approximately 16 KB
  • Notifications require approximately 40 KB
  • ServerMapped record requires approximately 16 KB

The variable amount of space required, based on objects, is as follows:

  • Access and groupings (each)
    • A User group that has access to the system requires approximately 50 KB
    • A Site record requires approximately 4 KB
    • A Collection requires approximately 10 KB
  • FarmView (each)
    • FarmView requires approximately 4 KB
    • FarmView/Device relationship requires approximately 5 KB
  • SiteView (each)
    • SiteView requires approximately 4 KB
    • SiteView/Device relationship requires approximately 5 KB
  • Target device (each)
    • A target device requires approximately 2 KB
    • DeviceBootstrap requires approximately 10 KB
    • Device:Disk relationship requires approximately 35 KB
    • Device:Printer relationship requires approximately 1 KB
    • DevicePersonality requires approximately 1 KB
    • DeviceStatus when a Device boot requires approximately 1 KB
    • DeviceCustomProperty requires approximately 2 KB
  • Disk (each)
    • Unique disk requires approximately 1 KB
    • DiskVersion requires approximately 3 KB
    • DiskLocator requires approximately 10 KB
    • DiskLocatorCustomProperty requires approximately 2 KB
  • Provisioning server (each)
    • A server requires approximately 5 KB
    • ServerIP requires approximately 2 KB
    • ServerStatus when a Server boot requires approximately 1 KB
    • ServerCustomProperty requires approximately 2 KB
  • Store (each)
    • Store requires approximately 8 KB
    • Store:Server relationship requires approximately 4 KB
  • Disk update (each)
    • VirtualHostingPool requires approximately 4 KB
    • UpdateTask requires approximately 10 KB
    • DiskUpdateDevice requires approximately 2 KB
    • Each DiskUpdateDevice:Disk relationship requires approximately 35 KB
    • Disk:UpdateTask relationship requires approximately 1 KB

The following changes cause the size requirements to increase:

  • Each processed task (for example: Virtual disk versionings merge) requires approximately 2 KB.
  • If auditing is turned on, each change made by the administrator in the Citrix Provisioning console, MCLI, or PowerShell interface requires approximately 1 KB.

Database mirroring

For Citrix Provisioning to support MS SQL database mirroring, the database needs to be configured with High-safety mode with a witness (synchronous).

When using the Database Mirroring feature, the SQL native client is required on the server. If the native SQL client does not exist, the option to install SQL native client x64 or x86 is presented when SQL is installed.

Be sure to update SQL native client to a version that supports TLS 1.2. For details, see “Client component downloads” in KB3135244 - TLS 1.2 support for Microsoft SQL Server.

For information on how to configure and use database mirroring, see Database mirroring.

Database clustering

To implement database clustering, follow Microsoft’s instructions then run the Citrix Provisioning Configuration wizard. No additional steps are required because the wizard considers the cluster as a single SQL Server.

Configure authentication

Citrix Provisioning uses Windows authentication for accessing the database. Microsoft SQL Server authentication is not supported except by the Configuration Wizard.

Configuration wizard user permissions

The following MS SQL permissions are required for the user that is running the Configuration wizard:

  • dbcreator for creating the database
  • securityadmin for creating the SQL logins for the Stream and SOAP services

If you are using MS SQL Express in a test environment, you can choose to give the user that is running the Configuration wizard sysadmin privileges, the highest level for the database.

Alternatively, if the database administrator has created an empty database by running the DbScript.exe utility, the user running the Configuration wizard must be the owner of the database. Also, this user must have the View any definition permission. The database administrator sets this permission when the empty database is created.

Service account permissions

The user context for the Stream and SOAP services requires the following database permissions:

  • db\_datareader
  • db\_datawriter
  • Run permissions on stored procedures

Datareader and Datawriter database roles are configured automatically for the Stream and SOAP Services user account using the Configuration wizard. The Configuration wizard assigns these permissions provided the user has security admin permissions. In addition, the service user must have the following system privileges:

  • Run as service
  • Registry read access
  • Access to Program Files\Citrix\Citrix Provisioning
  • Read and write access to any virtual disk location

Determine which of the following supported user accounts the Stream and SOAP services run under:

  • Network service account

    Minimum privilege local account, which authenticates on the network as a computers domain machine account

  • Specified user account (required when using a Windows Share), which can be a Workgroup or domain user account

Support for KMS licensing requires the SOAP Server user account to be a member of the local administrators group.

Tip:

Authentication is not common in workgroup environments, as a result, minimum privilege user accounts must be created on each server and each instance must have identical credentials.

Determine the appropriate security option to use in this farm. Only one option can be selected per farm and the selection you choose impacts role-based administration. For security options:

  • Use Active Directory groups for security (default); select this option if you are on a Windows Domain running Active Directory. This option enables you to use Active Directory for Citrix Provisioning administration roles.

    Note:

    Windows 2,000 Domains are not supported.

  • Use Windows groups for security. Select this option if you are on a single server or in a Workgroup. This option enables you to use the Local User/Groups on that particular server for Citrix Provisioning administration roles.

Console users do not directly access the database.

Minimum permissions required for more provisioning functionality include:

  • Citrix Virtual Apps and Desktops Setup wizard, Streamed VM Setup wizard, and ImageUpdate service
    • vCenter, SCVMM, and Citrix Hypervisor minimum permissions
    • Permissions for the current user on an existing Citrix Virtual Apps and Desktops controller
    • A Citrix Provisioning console user account configured as a Citrix Virtual Apps and Desktops administrator added to a provisioning SiteAdmin group or higher
    • Active Directory Create Accounts permission to create accounts in the console. To use existing accounts, Active Directory accounts have to exist in a known OU for selection
    • If using personal vDisks with Citrix Virtual Apps and Desktops, the SOAP Server user account must have Citrix Virtual Apps and Desktops full administrator privileges.
  • AD account synchronization: create, reset, and delete permissions
  • Virtual disk: Privileges to perform volume maintenance tasks

Enable a remote connection in SQL Server

Use the information in this section to establish a remote connection to the SQL server.

  1. Log into the SQL server using SQL Management Studio.
  2. In the object explorer window, right-click the SQL server and choose Properties:

    MS SQL server object explorer

  3. In the Object Exploer window, select the Connections node. Under Remote server connections, select or clear the Allow remote connections to this server check box:

MS SQL server connections

After updating the remote server connection:

  1. In the Start menu, click Start > Microsoft SQL Server version > SQL Server version Configuration Manager. The SQL Server Configuration Manager window appears.
  2. Expand the option SQL Server Network Configuration. Select Protocols for (your server name). Select TCP/IP and right click. In the contextual menu, choose Enable. Click OK to restart the service.

MS SQL server TCP/IP

After restarting the service, change the Start mode. In the SQL Server Configuration Manager window:

  1. Select SQL Server Services. In the right pane, right-click the SQL Server Browser option to expose a contextual menu.
  2. Choose Properties.
  3. In the Service tab, change the Start Mode to Automatic.
  4. Click OK.

MS SQL server browser properties

  1. Select the SQL Server Browser and right-click to expose a contextual menu. Click Start.
  2. Select the SQL Server Instance Name and right-click to expose a contextual menu. Click Restart.

Create an exception for SQL Server in Windows Firewall

Use the information in this section to create an exception for SQL Server in environments using Windows Firewall:

  1. Open the Control panel and select System and Security.
  2. Select Windows Defender Firewall:

    MS SQL server Windows Defender Filewall

  3. Click Allow an app or feature through Windows Defender Firewall. Turn on Windows Firewall:

    MS SQL server enables Windows Defender Firewall

  4. In the Allow apps to communicate through Windows Defender Firewall window, click Allow another app…:

    MS SQL server allows firewall apps

  5. In the Add an app screen, click Browse.
  6. Browse to the SQL Service sqlserver.exe and click Open. The default path to sqlserver.exe is:

    • SQL 2019 – C:\Program Files\Microsoft SQL Server\MSSQL15.<SQL Instance Name>\MSSQL\Binn
    • SQL 2017 – C:\Program Files\Microsoft SQL Server\MSSQL14.<SQL Instance Name>\MSSQL\Binn
  7. Click Add:

MS SQL server allows firewall apps

  1. Repeat steps 4–7 for C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe.
  2. Click OK.

Kerberos security

By default, the Citrix Provisioning console, Imaging wizard, PowerShell snap-in, and MCLI use Kerberos authentication when communicating with the SOAP Service in an Active Directory environment. Part of the Kerberos architecture is for a service to register (create a service principal name, SPN) with the domain controller (Kerberos Key Distribution Center). The registration is essential because it allows Active Directory to identify the account that the SOAP service is running in. If the registration is not performed, the Kerberos authentication fails and Citrix Provisioning falls back to using NTLM authentication.

The Citrix Provisioning SOAP Service registers every time the service starts and unregisters when the service stops. However, the registration fails if the service user account does not have permission. By default, the Network Service account and domain administrators have permission while normal domain user accounts do not.

To work around this permissions issue, do either of the following:

  • Use a different account that has permissions to create SPNs.

  • Assign permissions to the service account.

   
Account Type Permission
Computer Account Write Validated SPN
User Account Write Public Information
Pre-installation tasks