Saturday, April 30, 2016

Enable XenApp Maintenance Mode

Enable XenApp Maintenance Mode


Prior to version XenApp 6.5 the most common method was to use  Custom Load Evaluator that will report a full load when assigned to a server. The main reasons to use Load Evaluator were:
  1. Load Evaluator assigment is stored in data store, so Load Evaluator can be assigned to a server, even while server is offline.
  2. Load Evaluator will reject new sessions, but it will allow user to reconect to disconnected session
  3. Load Evaluator will affect only ICA sessions and RDP connection will still be allowed
In XenApp version 6.5 ability to directly assign Load Evaluator to specific servers was removed, instead Load Evaluator can be assigned to the Worker Group (Worker Groups are collections of XenApp servers, residing in the same farm, that are managed as a single unit). The ability to put a single server into maitenance mode is provided by logon mode control.
By default, logons are enabled for each server in a farm, allowing connections, reconnections, and session sharing. Before taking a server offline, such as for maintenance, use these options to reroute logons to other servers.
  •  Allow logons and reconnections. Enable all logons, reconnections, and session sharing (default setting).
  • Prohibit logons and reconnections. Reroute all logons, reconnections, and session sharing to other servers.
  • Prohibit logons only. Reroute new connections and session sharing, but allowing users to reconnect to disconnected sessions. This state persists until you change it manually.
  • Prohibit logons until server restart. Reroute new connections and session sharing, as above, but after restarting the server, the setting automatically changes back to Allow logons and reconnections.
logon-control
Ability to disable access to offline server
Logon mode for RDP is per-server configuration that is stored in registry. Configuration of logon mode is stored in registry in two different locations:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TSServerDrainMode
0 = Allow all connections
1 = Allow reconnections, but prevent new logon until reboot
2 = Allow reconnections, but prevent new logon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\WinStationsDisabled
0 = Enabled
1 = Disabled
When server is in drain mode, WinStationDisabled is always 0 (enabled).
Now the interesting part is that XenApp logon control is actually managed through data store and is updated using LHC synchronization notification. So when you change the logon mode in console, this change is actually not immediately done on the registry of the target machine. When XenApp server is offline and you change the logon mode, it will get notification from data store during boot and automatically apply the logon mode that you’ve configured in the console. This allows you to change logon mode even while server is offline.
Temporary drain mode (Prohibit logons until server restart) is however available only when server is online.
Logon Mode in PowerShell
Especially in larger and more dynamic environments, it’s very common to automate the whole maintenance process. If you want to automate assignment of logon modes, there are two commands that you can use:
To assign logon mode to server:
Set-XAServerLogOnMode -LogOnMode $LogonMode -ServerName $Server
Since logon mode is enumeration, you can use this universal method to get all allowed values:
[Enum]::GetValues(“Citrix.XenApp.Commands.LogOnMode”)
To save you some time, I’m also going to list all allowed values for $LogonMode:
  • AllowLogOns
  • ProhibitNewLogOnsUntilRestart
  • ProhibitNewLogOns
  • ProhibitLogOns
To get logon mode assigned to server, it’s one of the properties of the regular server object:
$(Get-XAServer -ServerName $Server).LogonMode
For xa 5, and xa 6, create custom load evaluator and assign it to individual servers. From xa 6.5, use the new prohibit logons feature and change the registry setting to enable RDP to admin users.

No comments: