1 - Adminstrator configure a VM with the App's and settings that they require to be unique for all of the planned VMs.

2 - The final image is a .vmdk virtual disk file that resides in a folder on the root of the datastore it is deployed to

3 - Admin defines the size of vm,  vcpu , memory via the MCS Wizard

4 - Admin chooses amount of vms to be created and added to catalog in the MCS Wizard

5 - Admin chooses a naming convention for the machines to be created in the catalog, in the MCS Wizard

6 -VMs are all created as "Linked Clones"

7 -Each VM created has two or three disks assigned to it:

Master image - single base disk .vmdk file - mounted as non persistent on SCSI 0:0 to each VM. allows RO to base .vmdkand all data changes are redirected to a .REDO file in the VM's home folder.

Personality Disk - A small 16MB VMDK mounted on SCSI 0:1.This contains some basic info such as machine name, SID, Domain Computer account password and other unique info injected into the OS on boot-up

Personal vDisk (Optional) This disk is used in cases where you want persistence in your VM

The time line for all of this is as follows:

1 - MCS takes a VMwaresnapshot of the Master VM

2 - MCS creates a Temp VM (XD Temp 4)which is configured with the vmdk form the original master image that was has just has a snapshot.

3 - It then clones the Temp VM (XD-Temp-4) to anohter VM, using some name supplied in he creation wizard and then appends "-baseDisk-datastore-51 to it. The VM is created with this name so that the folder and basedisk.vmdk inside have the naming convention specified in MCS

4 -After cloning, the new VM with the appended (-basedisk...) name, it is reconfigured to have the disk removed.

5 - MCS issues a command to delete the VM By first removing the disk from the VM, it prevents the base disk .vmdk and folder from being deleted when the VM is deleted. The result is that all of the VM files are purged but the base disk is still there, as well as the description name selectled in the MCS wizard.

6 - A new VM is then created called "Preparation"-+ the name specified in MCS wizard
This prep VM is created with the amount of CPU and ram specified in mcs wizard

7 -The new prep VM is reconfigured to add our basedisk created in earlier steps. Unlike all linked clones that will be created the VMDK is NOT mounted as independent: non-persistent. The contents of the base disk still need to alter to make it suitable for multiple MCS linked clones though.

8 -The prep VM is reconfigured again and the 2nd VMDK is added. This time, the .VMDK file added is a small disk file called "prepare-identify.vmdk" The file is provisioned as 16MB but is only 16KB and holds a simple file structure with a couple of files to be used for preperation process

9 -The prep VM is powered on. 

10 -After power on, it is prepared with the information found in the identifty disk:
The OS and office installations are Re-armed so that each MCS linked clone created later is ready to run with their own custom identify files

11 -After the "in guest" processing of the powered on prep VM has completed onthe prep VM, the VM is shtudown from within the guest (So a power off command will not shown in the logs)

12 -Once powered off, it is reconfigured to remove the base disk (to prevent deletion)

13 -After reconfiguration completes, the prep VM is deleted from disk
at this point, the base disk is left behind and has now been prepped and ready to be a read-only disk that all mcs linked clones will mount as their C: drive

14 -Next the VMs are created 3 at a time, using the naming convention stated in MCS wizard.

15 -After creating the VMs they are reconfigured 3 times each:

 First reconfig- VMs are sized according to the specs in the wizard

 Second reconfig- the base disk .vmdk is mounted in the VM SCSI0:0 in "Independent-non persistent" mode (RO) this is to prevent changing/locking the base disk and all write activity is redirected to a REDO file in the VMs home folder,
 
Third reconfig - A small 16mb Id disk is added similar to the one added to preparation VM.  The disk is placed in the home folder of the VM and is named %VMNAME%-IdentityDisk.vmdk". the contents of the ID disk are at the heart of what allows machines created iwth mcs to be non-persistent linked clones that can have their master disk updated, yet still persist and keep an idenity on the network]

16 -The process is repeated for 3 VMs concurrently until the total number of VMs specified in the MCS wizard is reached

Here are a few new features built into Xenapp 7.6:

Session prelaunch & session linger

Session prelaunch starts a session before the session is requested, so the application launch time in minimised.  Session Linger is used to keep the session open for a configured amount of time once the application closes. 

Support for unauthenticated anonymous users

For delivery groups containing server OS machines. You can allow users to access applications and desktops without presenting credentials to storefront or receiver. Used when users access via Kiosks so that the application may ask for the credentials, but the citrix portals do not

When configuring a delivery group, there is the option to grant access to authenticated and unauthenticated users or both. When you grant access to unaithenticated users you must create an unathenticated users storefront store

Connection Leasing

Citrix recommends using a HA fault tolerant SQL database configuration.  However, that is not enough, because there are often times when network interruptions will prevent delivery controllers

Form accessing the database, which in turn, results in users not being able to connect to their applications and desktops.

Connection leasing is designed to compliment the usual HA SQL deployment, by allowing users to connect and reconnect to their most recently used apps and desktops, even when the site database is not available.

Each controller caches users connections to the most recently used app’s and desktops. If the database becomes unavailable, the controllers enter into a lease connection mode and replays the cached connections when a users attempts to reconnect to a recently used app or desktop.

 Application Folders

Some of you may have wondered why it wasn’t possible to group your applications into folders in newer versions of storefront, well now you can. This makes managing large groups of applications easier as you can logically group applications into parent and nested folders within the delivery group (Up to max of  5 levels nested)

 Xenapp 6.5 Migration

This is a good option for those companies who wish to retain much of their Xenapp 6.5 polices and have them ported into the new Xenapp 7.6 environment:

After you install the XenApp 7.6 core components and create a Site, the migration process follows this sequence:

• Run the XenApp 7.6 installer on each XenApp 6.5 worker, which automatically upgrades it to a new Virtual Delivery Agent for Windows Server OS for use in the new Site.
• Run PowerShell export cmdlets on a XenApp 6.5 controller, which export application and Citrix policy settings to XML files.
• Edit the XML files, if desired, to refine what you want to import to the new Site. By tailoring the files, you can import policy and application settings into your XenApp 7.6 Site in stages: some now and others later.
• Run PowerShell import cmdlets on the new XenApp 7.6 Controller, which import settings from the XML files to the new XenApp Site.
• Reconfigure the new Site as needed, and then test it.

 Advanced connection throttling

Specify maximum simultaneuous actions, simultenues personal storage inventory updates, and actions per minute that can occur on a host connection

Enhanced reporting in Studio

More details and status and error reporting when updating pvd images. Better licensing alrets when using the licensing node

SSL/TLS

Enable secure sockets between users and VDAs by configuring SSL/TLS on the machines where the VDA is installed and in the Delivery groups that contain the VDAs

I will post my own version of these instructions soon, but in the meantime, here is the Citrix eDocs link for this.

http://support.citrix.com/proddocs/topic/dws-storefront-26/dws-configure-single-fqdn.html#dws-configure-single-fqdn

1)  
Download this ISOhttp://www.microsoft.com/en-us/download/details.aspx?id=5753

2) 
Mount the ISO on one of your Control/Licensing Servers and install the "Windows AIK" from the Wizard.
3) 
Launch  "Volume Activation Management Tool (VAMT)" form the Start, Programs Menu, Microsoft Windows AIK, VAMT

4) 
In the VAMT tool, click on the "Options" Menu and select "Manage MAKS"

5)
Click "Add" and then enter your MAK license Key and a Description.  Let the Activation process verify and then close out

6)
Right Click "All Computers" select "Add Computers". Do a search by Active Directory and type the hostname of your Host server or the Computer Group that all of your hosts are in.  

You'll then need to Activate the client by right clicking it an selecting the option to Activate.

Logon to one of your Citrix Xendesktop 7+ servers.

1)  Run either of these commands to identify the KMS Host:

slmgr.vbs /dlv

 or 

slmgr.vbs /dli

2)  Logon to the KMS Host server as identified and run this powershell command as administrator, to export a text file with all of the registered KMS clients.  Search the list for your Host servers or server that you're looking to confirm is using KMS Licensing.

$(foreach ($entry in (Get-EventLog -Logname "Key Management Service")) {$entry.ReplacementStrings[3]}) | sort-object -Unique >> C:\Clients.txt

Sources:

http://cloud.kemta.net/2014/08/powershell-listing-activated-clients-on-kms-server/

https://social.technet.microsoft.com/Forums/windowsserver/en-US/9a1ec2c8-eb04-4db9-b904-f8b65880ff1b/determine-kms-host-on-network

I will add the port numbers in at a later stage

For those of you who have worked with Storage systems, you will be aware of how important it is to calculate storage IOPS.  This post doesn't go into any details on that subject, but I will try to explain this in another posting, at a later date.


I'm also not going to explain the merits of using MCS over PVS or vice versa--that's a decision that should be made depending on multiple factors, and unique to each organisation.  But let's say that you've decided to use MCS (Machine Creation Services) to deploy your Xendesktop 7 Application/Xenapp 7.5 Servers (Hosted shared).  You have shared storage fabric in place and an idea of the average and peak IO usage.  With that in mind, you are now able to significantly improve those READ IOs  from your Hosting servers by reading from the Host Servers' RAM cache, rather than having to traverse the network and hit the storage fabric for every IO read operation.  Applying these Hypervisor RAM caching optimizations will have a positive impact on Read IO performance. 


Here's an explanation of the VMware and Microsoft RAM caching techiques used to significantly increase IO performance.

VSPHERE CBRC - Content based read cache 

Built into Vsphere 5, this is a 100% host-based caching solution which helps reduce READ IOs.  It help with IO storms, os boots and reboot, virus scans etc. 

There are 2 Components of the cache:

In Memory: Fixed sized of 2GB and 400MB reserved
Dynamic cache that loads blocks on demans and manages cache based on access pattersn to various blocks on the VMDK


Digest/Metadata Table: maintined on dsk for each vmdk on the host
The table holds information about the various blocks in the vmdk. A hash table with each hash pointing to a specific block

If there is a read request to a block on the VMDK, a HASH is computed and the in memory cache is checked to see if the block is present. If it is not present, the hash table is accessed and the specific block is loaded into memory. If the block is in memory, it is returned back to the user.

HYPER-V CSV Block cache

CSV Block cache is a RAM Cache. It Allows you to Cache READ IOPS in the Hyper-V host RAM.

In Server 2012, you had to "SET" the CSV block cache and "enable" for every CSV volume. In Server 2012 R2, it is enabled by default on every CSV volume, but the cache is set to 0. So to enable the cache you have to:

 
# Get CSV Block Cache Size

(Get-Cluster).BlockCacheSize

 # Set CSV Block Cache Size to 512MB

 (Get-Cluster).BlockCacheSize = 512

 Microsoft Recommend 512 (2GB MAX) CSV block cache on the HYPER-V host (Unless this is a scale out file server, which means you can use up to 80% of RAM if the OS is 2012 R2)




Windows Server 2012 R2


1. Open an elevated Windows PowerShell prompt
2. Define the size of the size of the cache to be reserved (example of setting to 2 GB)

 (Get-Cluster). BlockCacheSize = 2048


Windows Server 2012

1. Open an elevated Windows PowerShell prompt
2. Define the size of the size of the cache to be reserved (example of setting to 2 GB)

(Get-Cluster). SharedVolumeBlockCacheSizeInMB = 2048
 3. Enable CSV Cache on an individual disk (must be executed for every disk you wish to enable caching)

 Get-ClusterSharedVolume “Cluster Disk 1” | Set-ClusterParameter CsvEnableBlockCache 1

To integrate your current Redirected Folders into the new Xendesktop 7.1 environment, you would need to configure the Folder Redirection GPO settings from within your Xendesktop 7 "Desktop lockdown GPO"--remember that these OUs are recommended to be processed with a loopback policy applied, which is why these settings need to be configured in your desktop lockdown GPO again instead.  (Unless your loopback policy configured for these Xendesktop 7 hosts is set to "MERGE" mode)

Apply these settings in the Desktop lockdown GPO for each folder that you wish to redirect:

I am using Citrix Profile Manager to redirect my user profile to a network share when a user logs on.  However, you will need to exlcude the folders that you would like to be redirected from the Citrix Profile Management policy, otherwise it will cause a conflict and redirection may not work correctly. so set the exclusion from within the Citrix Studio Console (Policy Node):

This is something that I need to share, especially for those of you who plan to implement Xendesktop 7 and APP-V integration.


So, you've just spent a few days putting the Xendesktop site together, the wheels are on and polished, it's looking pretty good--the only problem is that you have no seats! I'm referring to APP-V 5 packages not being seen on your hosted shared desktop.  You're probably wondering why this is, because you've rolled this solution out before and you've used "Application & Desktop" Delivery group types before too.  But you may want to check that group type again, because the chances are that you've setup a "Desktop" delivery group type, thinking that everything will work exactly the same as an "Application" or "Application & Desktop" delivery group type, but that isn't the case:


When you create an "Application" or "Application & Desktop" Delivery group type, the App-V 5 management and publishing server setting are inherited from the site level configuration.  But Desktop delivery groups do not inherit these settings by default, because desktop delivery groups are unable to publish applications and do not inherit the App-V 5 settings from the site configuration.  Instead, you have to tell a Desktop delivery group to use the specific App-v 5 site policy (Link them)


You would follow this procedure to link your Desktop Delivery group type to the site App-V policy:


Open the Citrix Studio Console and click on the "Powershell Tab", followed by the Powershell button, located on the tab and type these commands:




1)  Get-BrokerDesktopGroup    -adminaddress *yourdeliverycontroller*


2)  Get-BrokerMachineConfiguration –Name AppV*
(Displays the site's app-v policy name)


3)  Add-BrokerMachineConfiguration –Name AppV\XYZ –DesktopGroup UID
 (Replace the AppV\XYZ with the app-v policy name found from the previous command output. Then add the UID of the delivery group, found within the first command output.)


It's prudent to do a reboot of the servers after this.


Log back again, and Bob's your uncle! Your seat are back in the motor!

But before you go, you'll also need to be aware that if you're using folder redirection, you'll need to exclude App-V directories and settings from that process.  If you don't do this, then you're likely to see the app's only once, at first logon. So do the following in Citrix Policies:

"You must exclude the following items using Profile management exclusions:

• Profile Management\File system\Exclusion list\directories:
  • AppData\Roaming\Microsoft\AppV\Client\Catalog
  • AppData\Local\Microsoft\AppV
• Profile Management\Registry\Exclusion list:
• Software\Microsoft\AppV\Client\Integration
• Software\Microsoft\AppV\Client\Publishing"

Sources:

 http://support.citrix.com/proddocs/topic/user-profile-manager-5-x/upm-using-with-app-v.html

http://support.citrix.com/article/CTX138139

Open PowerShell on the controller and type add-pssnapin citrix.*

To mount the policies, type new-psdrive “Mysite” –psprovider CitrixGroupPolicy –Root \ -controller *yourcontroller*

Note: “Mysite” is the name of the psdrive you are creating, so it could be anything.
Type cd mysite:\.

Type dir, and find the location of your policy.

In this example, user container is being used, so type Cd user first

Check the number of policies and note the priority number. Then do the same cd.. and cd computer and check if there are conflicting policy
priorities, check for duplication of policies that are in user and computer containers.

To locate name of the policy which is causing the issue, type dir.

In the preceding image, the policy name is CPM PROFILE, so to remove it, type Rd “.\CPM PROFILE”.

Go back to the Studio, click Policy > Refresh.

You will now be able to see the rest of the policies and can modify/create once more.

You might want to remove them all except the unfiltered policy and a start again. This is what I did to get this working again.  Why the duplication happens? That's something I don't have an answer to at the moment

I encountered an issue with Citrix Profile Management recently.  The session was constantly creating a temporary profile.  This profiles had been working previous to this, so I knew that the NTFS and SHARE permissions were correct.  I decided to fault find the issue using the CPM log files, as mentioned previous to this post, but there was nothing obvious.

The Citrix Profile Management service is hosted on each Hosting server, but this service is installed on the master image by the Virtual Desktop Agent.  I uninstalled the VDA & Patch from the Master image, rebooted and then reinstalled them again.  After that, I decided to remove the VM images that were currently published within the console, and create them again. 

The Profiles worked fine after this

I discovered an unusual problem when accessing the Citrix Policy node in the Studio console.  It should be noted that nothing had changed on the policy side, and the policies were viewable, earlier on in the day.  There were no conflicting Group Policy settings being applied and no powershell scripts had been run.

 

 

1 ) From studio console, click on Powershell button
2)  Type in  add-pssnapin citrix.* (not usually required)
3)  Type in

new-psdrive "Mysite" -psprovider CitrixGroupPolicy -Root \ -controller *nameofyourcontroller*

4)  Type cd mysite: 5)  Type dir, and find the location of your policy.
6)  Type Cd user. check, then dir.  Check the policy names and priority
7)  Type Cd..
8)  Type CD Computer, check the policy names and priority

You may find that there are duplicate policy names in each container, both with different policy priorities. I found this, and decided to remove all of the policies except the unfiltered policy, and start again:

9)  To locate name of the policy and remove:

For example, the name of my policy was Citrix Profile Management.    To remove it, I type Rd "CITRIX PROFILE MANAGEMENT"
.
10)  Go back to the Studio, click Policy > Refresh.

The Active Directory Computer object password is usually changed automatically within, I think 30 days. There are Group Policy or Registry settings that can be applied to disable the machine account password (I will post these details at a later date)

You may find yourself in a scenario where you are unable to login to your master image.  This could be because you have restored to a VM snapshot, at a point in time when the computer account password was different.  Your Citrix Master image is now showing this error when you login:

"The trust relationship between this workstation and the 

primary domain failed"

You attempt to rejoin this computer to the domain but find that you can't login as a local Administrator either, so what can be done here?  I patched together this solution from several online sources, referenced at the end of this posting.

1)   Boot the  VM with your Microsoft Windows Server 2008/2012 DVD
2)  From the Windows Setup menu, click “Next”.
3)  Select “Repair your computer”
4)  Under Choose and option, click on “Troubleshoot”.
5)  Under Advanced options, click “Command Prompt”.
6)  At the command prompt, run the following commands:
            

             D:

             cd windows\system32            
             ren Utilman.exe Utilman.exe.old             
             copy cmd.exe Utilman.exe

7)  Close the command prompt and then click “Continue”.

8)  The server should now boot and present the logon screen. Here click Windows Key + U. Or Click on 

9)  At the prompt you can now change the password, by typing the following command:

              Powershell

              Reset-ComputerMachinePassword -Server "yourdc" -Credential "yourdomain\yourusername"

This will reset the machine account name on the domain and workstation.  Allowing you to login once more

10)  Restart your server and once again, boot from the Microsoft Windows Server 2008/2012 DVD

11)  From the Windows Setup menu, click “Next”.
12)  Select “Repair your computer”
13)  Under Choose and option, click on “Troubleshoot”.
14)  Under Advanced options, click “Command Prompt”.
15)  At the command prompt, run the following commands:
           

             d:
             cd windows\system32
             ren utilman.exe utilman.exe.new
             copy utilman.exe.old utilman.exe

16)  Close the command prompt and then click “Continue”.

17) Reboot, and login.  

18) Makes changed to your master image, to disable the local machine password changes

SOURCES:

http://www.kieranlane.com/2013/09/18/resetting-administrator-password-windows-2012/

http://blog.blksthl.com/2013/03/18/fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/

It appeared that user logons were initially taking too long when logging in from Citrix Storefront. I checked the DC that the Xendesktop were using to authenticate using this powershell command from the servers: $type=[System.DirectoryServices.ActiveDirectory.DirectoryContextType]"Domain" $context = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext($type, "insert you domain name") $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($context) $domain.FindDomainController().Name Then I checked the Citrix Policy to make sure that Session Reliability was on (As default) and also checked the Firewall was enabled on the session hosts and Master Image (It Wasn't) I then downloaded the following hotfix by Citrix, to resolve this issue on the VDA.  This was installed on the master image, an the MCS Catalog then updated http://support.citrix.com/article/CTX139901 The patch can be downloaded from: CITRIX XENDESKTOP 7.1/7.5 VDA PATCH Also, there have been numerous issues with the new Graphic Codec in Xendesktop 7.  I found that changing the Citrix Graphics to Legacy mode to increase the logon times significantly.  Be sure to check whether your client side redirection policies are tuned also, as client redirection will also slow logons.  You may also be able to redirect the Desktop and Documents folder at logon.

Xendesktop Active Directory and Group policy settings

1)      The following OU structure woud be recommended for the Xendesktop servers:

· 

•         The Storefront Servers  –  Should be moved into the Access OU
•     The Desktop Delivery Controllers -- Should be moved into the Control OU
•         The Hosting servers –  Should be configured to be created in the Hosting OU
•      The Master image  -- Should be moved to the Master OU.  If you have problems registering this          object and moving it, then you can always use this powershell command: 

Add-computer –domainname insertdomainname –credentials domain\admincredentials  –oupath “ou=master,ou=xendesktop,ou=INSERT YOUR PATH ,ou=INSERT YOUR AD PATH,DC= INSERT YOUR AD PATH,DC= INSERT YOUR AD PATH ”

2)      Group Policy Management console can be used to “Block Inheritance” at the “Xendesktop” OU level

A GPO should be created and linked to the “MASTER” OU, with the following setting applied:

3)     I have  two example policies that are linked to the “Hosting” OU.  One of the GPOs contains the Loopback and Computer Configuration Settings, while the other Contains the User settings.  You could use one GPO, but I decided to do this to make it easier to fault find or test settings.

Loopback – loopback processing and computer settings

Desktop Lockdown – User settings

An example of the settings to be configured for each GPO can be found in this shared location.  Download and open each file in IE:

GPO SETTINGS

You may need to add the GPO Admin Templates for Office 2010.  I have included a zip file containing these templates.  This will make sense when you go to configure the Desktop Lockdown settings.  The zip file is called “Office TempladesGPP.zip”

I encountered a problem when configuring Xendesktop 7.1 Citrix Profile Manager.

Environment:

1) Citrix Access, Control & Resource severs were installed on Server 2008 R2 virtual machines.
2) Machine Creation Services was used to provision a Server 2008 R2 image for App/Desktop hosting (Resource layer)
3) A windows 2008 R2 file server was used to contain the Citrix Profile store
4) Group policy and Active directory access was locked down to my user account so Citrix Site policies were used to apply the Citrix Profile Management configuration.

I had just finished implementing the same setup for a different client, with no issues, but for some reason the Citrix Profile for this new client wasn't being created on the profile store location. At first, I thought this may be down to some policy at the AD Site, Domain, or OU level overwriting the settings in Citrix Studio Policies, but that wasn't the case. It took some time to work out what was going on, but it became clear by enabling the settings within the CPM .ini file: On the App/Desktop hosting server, navigate to "\Program Files\Citrix\User Profile Manager\" Look for the .ini file (UPMPolicyDefaults_All.ini) If you want to test what would happen if you apply the CPM settings via this ini file rather than the Citrix policy or GPO, then fill in the following sections as required:



One of the most useful features within the INI file would be the ability to turn on logging. 

You can enable the CPM settings or the log settings by placing the number 1 after the equals sign.  Any other number will disable it.  I enabled the log settings to fault find the CPM issues.  The log is created within the same folder as the ini file, unless you state a log file path in the ini file. You'll need to restart the CPM service on the Host server before you test again, or run GPUPDATE / Force

When the CPM can't connect to the Profile store, well that's when you'll start to see temporary profiles being created when you logon to the server desktop. I set the ini file to log the user off if this happened, rather than login with a temp profile, and sure enough, the next time I logged in my account was logged off.  This confirmed to me that this was an issue with connectivity to the store or permissions on the store folders.
















 I discovered that the CPM Store folder needed to be setup in  a certain way.  It would not create the CPM profiles if I used one folder with NTFS and shared permissions applied, so I had to create something like the following:





Root Folder Permissions:

In Advanced Security – Tick Include inheritable permissions from this object parent

Subfolder Permissions:

ADD CREATOR OWNER –

In Advanced security: Apply to – Subfolders and Files only

Allow Full control

Citrix user group

In Advanced security: Apply to – This folder only

The last thing to do would be to restart the Citrix profile Management Service on the host, as the changes are not made within the .ini file until that is done.  You can also use Gpupdate /force, but I prefer to start the service.

Everything worked after that, so I disabled all the .INI settings that I'd configured and tested the Citrix Studio Policy again.  All good! :)

That being said, the above permissions may need to be tweaked.  I just managed to get this working with these settings but you can fine tune it.

 

  

THIS IS A PRESENTATION, SO CLICK ON THE PLAY BUTTON WHEN YOU WISH TO MOVE ON TO THE NEXT SLIDE.

CLICK HERE FOR A PRESENTATION ON CITRIX DIRECTOR - BASICS

The image below, illustrates the different administrator roles that can be configured from the Studio console.  Administrator roles can be found within the "Configuration", "Administrators" node.

This post is designed to give you a better understanding of what Role to assign a user or group of users.

Here's a diagram to assist you with your decision on what security to apply to the varying levels of Xendesktop Administrators:

There may be occasions where you need to use powershell to create the Machine Names, rather than the Xendesktop 7 Studio Wizard.  In this scenario you can use Powershell:

Add-PSSnapin Citrix.ADIdentity.Admin.V2

Add-PSSnapin Citrix.*.Admin.V*

Get-AcctIdentityPool -adminaddress *replace with name of your controller*

Take a note of the identity Pool name that you'd like to add new machines into

New-AcctADAccount -IdentityPoolName "your Identity Pool" -Count 2 -StartCount 50 -OutVariable result

This above command will create the Machines using the Naming Scheme currently applied to your Identity Pool that your adding these Machine account into.  The hostname count will start at 50 eg:

Current Naming Scheme: HOST###

The above command will create VM accounts: HOST050 & HOST051

Microsoft are due to release their Desktop as a Service offering this year.  There's very little information about it at the moment. I'll leave you to ponder the possibilities with regards to what this could mean for those vendors who currently have no cloud platform. Things are about to get even more interesting:

http://www.zdnet.com/microsoft-readies-mohoro-windows-desktop-as-a-service-7000014769/

The above image was created by Daniel Feller, a Lead Architect for Citrix.  The blog post can be found:

http://virtualfeller.com/2013/10/29/just-the-apps/

Before you decide to rush forward with a Hosted VDI solution.  It's worth reading over this posting by DJ Feller.  Xendesktop 7.1 App Edition (Or Xenapp) can host 500 users "with just three physical servers using two Intel Xeon E5-2690 @2.9GHz with 192 GB of RAM".  You'll notice that to pack the same density of users into hosted VDI, you're looking at perhaps 500VMs, in comparison with 21 VMs when using the hosted shared desktops/apps method

I can see the point in VDI, but in many cases a hosted shared desktop solution will work (Xenapp). So  establish whether your user base needs a full fat hosted VDI solution. Do users care whether they see their Desktop? or do they just want reliable access to the tools that allow them to perform their job?

Citrix Machine Creation Services (MCS) is noted to generate 21.5 % more Average IOPS (Inputs and output per second) when running in steady state and compared to Citrix Provisioning Services (PVS)
This breaks down to roughly 8% more Write IOPS and 13% more Read IOPS than PVS.

MCS Creates 45.2% more Peak IOPS when compared to PVS

PVS has a Read/Write ratio of 90%+ Writes when the VM is running in Steady or Peak mode

MCS has a Read/Write ratio of 47/53% during Peak VM operation

MCS has a Read/Write ratio of 17/83% during Steady state

So it's now widely considered that MCS is now a perfectly viable option that can be used as an alternative to PVS. (Depending on the requirements)  If the Reads Ratio can be reduced during the VM Stable running state, then this would make the write difference beween MCS and PVS negligable.  You have to consider whether the remaining write difference is worth negating for the ease of configuration and management that MCS offfers.  Ok, it may not be a solution for all cases, but it's certainly no longer a second thought.  There are technologies to reduce the READ ratio during VM stable running status, such as the hypervisor caching technologes used by Hyper-V and VMware.

The diagram below illustrates the Read/Write ratio against IOPS for a Windows VM.  This is the lifecycle of a VM from Bootup to running state.