Everything you wanted to know about out of the box printing but were afraid to ask

In my  blog on the overlooked, but somewhat familiar, Application Groups feature:


I advised users of a way to provide an active/active, active/passive solution at the application level without the need for any additional software other than XenApp post 7.9.

This blog will touch upon another overlooked, but somewhat familiar, practice of Printing and highlight some great scripts provided by fellow CTA Martin Therkelsen to clean your printing environment.

It seems there is plenty of information out on this subject, yet time and time again, I see fundamental mistakes being made and then users and administrators wondering why they cannot print successfully. It is also a subject that people assume you know about and therefore are afraid to ask.

When it comes to printing and design, I will always start with the below strategy and tailor it based on customer requirements:

  • Limit the number of printers within your RDS sessions.
  • Allow default printer only and map network printers via GPP.
  • Assess and analyse printing requirements.
  • Prevent print driver installation for your users.
  • Use Universal print drivers or Easy Print to reduce amount of print drivers.
  • Non-native print drivers should be tested using a print stress tool.
  • Use Print Detective and remove any Non-Native drivers.
  • Use print driver isolation to minimize crashes related to drivers.
  • Roaming Users, map printers using GPP proximity based printing.
  • Have the Print Server and RDS on the same O/S version.
  • Clean out your printers.


This is my own set of baseline best practices and may not fall in to specific niche requirements. There are quite a lot of good 3rd party solutions out there for special circumstances but what I want to define at this point is an out of the box methodology without the need for 3rd party tools or even Citrix.

So, what does this look like in practice and how would you go about achieving the above?

Let me show you.


Limit the Number of Printers within Your Terminal Server Sessions

You can prevent printer redirection by using this local policy setting:

Local Computer Policy / Computer Configuration / Administrative Templates / Windows Components / Remote Desktop Services / Remote Desktop Session Host / Printer Redirection

Do not allow client printer redirection

This can also be set at GPO level.

This setting will prevent client-redirected printers at the computer configuration level. Consider it an all-or-nothing switch for client redirection. This setting will override client settings.


Allow Default Printer Only and Map Network Printers via GPP

If users require client printer mapping, provide them with default printers only. If they require any additional printer, try to adjust their expectation first and deal with this issue by setting the correct default printer outside the session. This way you are still limiting the amount of printers that are redirected.

Computer Configuration / Policies / Administrative Templates / Windows Components / Remote Desktop Services / Remote Desktop Session Host / Printer Redirection

Redirect only the default client printer

By enabling the next policy, the Client Printers will be redirected, but will not be set as the default printers.

Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Printer Redirection

Do not set default printer to be default printer in a session

Should users want networked printers to be mapped automatically within the session, then my out of the box suggestion is to use Group Policy Preferences (GPP) to deploy printers. You can target specific users / groups to have certain printers using item level targeting. You can also set the default printer for your users at this level.

User Configuration / Preferences / Control Panel Settings / Printers


Assess and Analyse Printing Requirements

This part is all about how to configure your printing traffic flow and when to redirect the print job based on site criteria. For example, the below setting should be used if your RDS Servers and Print Servers are within the same location and you want to save on resources on your RDS host.

Computer Configuration / Policies / Administrative Templates / Printers

Always render print jobs on the server

Disabling this setting increases the resources on your RDS server.

In my opinion, it is wise to offload print rendering to the print server when mapping Network printers, as you would want to reduce load on your RDS Server provided your Print Server has a lot of resources and is in the same site as your RDS server.

More on this can be found in an article I have highlighted at the end of this blog post!


Prevent Print Driver Installation for your Users

There are various ways to achieve this. Within your preferred GPO navigate to:

Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options

Prevent users from installing drivers


Computer Configuration / Policies / Administrative Templates / Printers

Package Point and Print – Approved Servers

Specifying a false printer name will stop users from installing printer drivers.

Most modern printers do not require Kernel mode drivers, so it is also worthwhile configuring this setting:

Computer Configuration / Administrative Templates / Printers

Disallow installation of printers using kernel-mode Drivers


Use Universal Print Drivers or Easy Print to Reduce Amount of Print Drivers

This one is self-explanatory. Again, it centers around limiting drivers on your RDS servers to avoid compatibility issues and spooler problems. My preference is to use universal drivers for session based printing when possible and if you have client redirected printers use TS Easy Print. The Easy Print settings can be found at these locations:

Computer Configuration / Administrative Templates / Windows Components / Remote Desktop Services / Printer Redirection

Use Remote Desktop Easy Print Printer Driver First


If Do not allow client printer redirection policy setting is enabled, the Use Terminal Services Easy Print printer driver first policy setting is ignored.

Computer Configuration / Policies / Administrative Templates / Remote Desktop Services / Printer Redirection

Specify RD Session Host server fallback printer driver behaviour

With this policy, you can define whether to use PCL, PS version or both when the Easy Printer driver will be used as a fallback scenario.



If you have to use printer drivers use PCL5 or postscript drivers as advised by the very knowledgeable Thomas Kotzing.

Make sure you use isolation for HP Universal Printer Drivers.


Non-native print drivers should be strained using a print stress tool

I have provided links providing detailed information on how to use the Print Stress Tool.





Use Print Detective and remove any Non-Native Drivers

Print Detective is an information- gathering utility that can be used for troubleshooting problems related to print drivers. It enumerates all printer drivers from the specified Windows machine, including driver specific information. It can also be used to delete specified print drivers.

Just to highlight: it is a Citrix tool but can be used for non Citrix environments!



Roaming Users, Map Printers using GPP Proximity Based Printing

To configure proximity based printing configure your Terminal Servers with loopback policy processing enabled and navigate towards this setting:

User configuration / Preferences / Control Panel Settings / Printers.

Right Click and add new Shared printer. Choose Action – Replace and enter shared printer details and set the printer as default.

The Common tab will allow you to do some Item-level targeting – Choose the options below.


In my example, I have targeted terminal sessions coming from a specific client IP range to be chosen. So these specific users will only get the printer mapped. Continuing with this method you can set different printers to different IP ranges. If a user moves to a different location they will get the nearest printer mapped within their Terminal Server session.

You can use a variety of settings to map the printers within Group Policy Preferences (GPP) or a combination of settings such as Client IP range and AD group. All Items are defined below:


Have the Print Server and Terminal Server on the same O/S

The print server and TS server should be on the same O/S so we avoid any issues to do with 32-bit and 64-bit drivers and driver conflicts.

If for some reason you do have some type of driver mismatch you should configure your client to server print driver mapping.


Use Print Driver Isolation to Minimise Crashes with Drivers

Computer Configuration / Policies / Administrative Templates / Printers

Execute print drivers in isolated processes

This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail.

The video link provided here highlights at the end how and why to use print driver isolation to limit spooler crashes.


We also have this setting to help in driver related crashes:

Computer Configuration / Policies / Administrative Templates / Printers

Isolate print drivers from applications (2012 above)

Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash.


Make sure you use isolation for HP Universal Printer Drivers.


Clean Out Your Printers


So, it’s all very well from the outset achieving these goals, but how do you deal with the mess that has been made before your arrival? You have inherited chaos and you need to tackle the situation. The predecessor did not share your mindset and allowed all printers to be redirected, did not think about driver installation, users could map printers themselves, when users have left stale profiles have been removed incorrectly and users are accepting of all the issues because it is what they have become accustomed to.

Now your user profiles and TS servers contain a ton of incorrect printer mappings.

First things first, as quick as you can, reset user expectation and get the above steps put in to practice to form your baseline for your printing solution. You will then need to clean out the old/stale printers in the environment.

There are various ways to achieve this such as run the following when shutting down/rebooting machines:

reg delete “hkcu\printers\connections” /f

This will delete all GPP and manually added printers.

My fellow Citrix Technology Advocate Martin Therkelson, who is very good with scripting solutions, has kindly provided some scripts which must be run under both HKLM and HKCU context to aid in the above problem. There are two scripts. One for computer logon and one for user logon.

If you do not clear the HKCU part (within the profiles) the old/stale printers will be mapped back and you will see them start to re-appear.

The scripts should be run on user logon and machine startup. You could create two GPOs for this and apply to your RDS servers.


Remember to back up your registry before trying this out and always in a test environment first folks!

Script Instructions:

The script is a simple function called from the last line where you just need to change the name of the stale printer server. You can also choose to run the script with verbose.


Cleanup-StalePrinters -StalePrintServer StalePrinterServerName


Cleanup-StalePrinters -StalePrintServer StalePrinterServerName -Verbose

You need to edit both scripts so the bottom line is running the function with the parameter for the stale server.

The scripts are available here to download:

Print Scripts


When removing stale profiles, manually make sure you do this via the Advanced System Settings / System properties / User Profiles location.

Simply right clicking and deleting the user’s folder directly will leave stuff in the registry and you can get a build-up of stale servers!



I have one more tale to tell on this series of the somewhat familiar but often overlooked, but until my next post, I hope some of you found this useful and it gives you a good baseline on how to move forward with your printing solutions.

Lastly, it never hurts to revisit the printing architecture and how printing works in a RDS/TS/Citrix environment. This guide is still very relevant today and is always worth revisiting. For me, it is the printing blueprint all RDS Admins should work from and it will help you assess your printing environments.


Follow me on Twitter:


Login PI and Xenapp Optimisation – Part 2

What is Login PI
Login PI is a new tool from those clever people who gave you Login VSI. I have decided to use this tool to test some of the optimisations in my Xenapp environment.

Login PI is an advanced VDI performance measuring system designed to help you deliver the best possible digital experience for your virtual desktop users—maximising worker productivity while minimising downtime and costly business interruptions. Login PI provides a new level of actionable, in-depth insights into the quality of your VDI’s digital experience that other solutions cannot match.


This article will show you the installation steps and how to set the software up to simulate real world actions such as launching desktops and applications.

Following on from this article we will carry out these real-world tasks using various optimisation settings we highlighted in part 1 of this series.
Installation pre-requisites
I am using a Windows 2016 server.

Install .net 3.5

       Once you have installed the pre-requisites and downloaded the PI software click on the .exe and run it.
Run Setup
This will install IIS and a few other binaries. You will be prompted to reboot.

After this you connect to the web console: (Recommendation is to use Google Chrome)

Connect to http://localhost:8080

You will then add the SQL server details

The below highlights that I am using SQL1 as a server and I input my administrative credentials.


Now we are at the stage where we are ready to configure LOGIN PI.
Login PI Configuration
We can see a license error stating that no license is installed. So, first things first upload your license.

I have a trial license to demo this software.

Browse to your License file and upload.

Create Logon Accounts
Next, we need to create some logon accounts that LOGIN PI will use to generate session workloads.

Hit the cog wheel icon and put in the details of your Base OU, Username and desired password, Domain and number of users to create.

Then click GENERATE.

This will generate a powershell script for you to run on your Domain Controller.

Copy script to DC and run.

The script should generate a new OU (LoginPI) with a subfolder and some target users as shown below.

Next, we return to our LOGIN PI configuration console.
Create Profile
We will create a profile for LOGIN PI to use.

Click the + icon.

Enter Name, Type (of connection) and Description.

The various types of connections you can do are highlighted here:


Now configure your environment settings.

Choose your workload

You have two options.

Default workload - native windows apps will use applications already native to your O/S like notepad, calculator etc.

Default workload – office apps will use word, outlook, Excel etc.

The following office versions are supported. This can be seen under the office version tab within Environment Settings.

Next scroll down and you configure your connections.

Click the + icon and input a username and password (Previously generated via script or any other account that can launch sessions) and click CREATE. You can add as many accounts as you wish to test session launches.

To edit these settings, you can click the area highlighted in yellow above.

Next highlight the yellow edit area shown below and fill in your connection settings.

The example I have below is using a Storefront connection.

For the Storefront URL use the Store URL.

Put in your domain and the resource name is the name of your Published Desktop Resource.

Advanced settings you should not have to change.

Next you configure your launcher.

This can be the same machine as your LOGIN PI server but the important thing to remember is this should be in the Xenapp site you are testing. If you have multiple sites you can configure multiple launchers.

Download the launcher setup file that is appropriate for your machine (32 or 64 bit).

Run the launcher.


In the next screen shot it is best to put the name of the LOGIN PI server you are connecting to if the machine is not the LOGIN PI server. Remember launchers can be put on multiple sites to test connectivity.


You will now have a new application icon

The above reminds me that your launcher machine must also have Receiver installed. (Try to use latest).

Now when you launch this it will not work straight away. We still have some actions to carry out and then we need to approve the launcher machine.
Set Schedule
The next thing we need to set is the Daily Schedule.

We can choose the hours we want the launcher tasks to run using the accounts we set up previously and to start this we need to tick the Enable scheduling box and choose an interval of time between session launches.
Finally, we have threshold settings. This defines thresholds for all actions or specific actions so that you receive alerts after a set overrun.

Final Actions
One more thing, we need to approve the launcher server.

To do this we hit the icon highlighted below.

Highlight your launcher by selecting the tick box and then hit ACCEPT.

Now when we click the LOGIN PI LAUNCHER we will initiate a connection to your desired published desktop resource and it will launch the native apps. This will be logged and recorded as part of your defined schedule for you to analyse in the LOGIN PI DASHBOARD.

You should now see a desktop launch and initiate applications and then close.

If you have an issue with the session connecting but no launching of applications the following needs to be installed on your Xenapp image.

More Prerequisites
Here are some prerequisites for your target image:

Target Environment Software

Windows-based operating system.

Microsoft .NET Framework 3.5


The test user(s) need to be able to:

Logon to the target environment.

Run the logon script.

Have connectivity to the Login PI server over a dedicated port. (Default is port 8080)

Access the %temp%

Make sure all these are in place and you should not have any issues.

Further requirements for a login PI environment can be found here:

Before I complete the testing of the various optimisations with a 2012/2016 image I view this tool as quite a useful proactive reporting mechanism on the session health of your RDS/Xenapp environments.

You can set up profiles direct to Xenapp/RDS servers and via Storefront and Netscaler Gateways.

One thing that grabbed my attention was if this tool could be multi tenanted. I spoke to the chaps at Login VSI who said that it could be used in such a manner.

If this is the case I would be able to analyse my different profiles that were created for different environments that use different launchers in multiple sites and receive proactive information should there be any issue with session launches or application launches. Remember the launchers must be able to see the LOGIN PI server on port 8080!

In part 3 we will delve in to the Dashboard and Insights supplied by Login PI.






Login PI and Xenapp Optimisation – Part 1

There are a lot of optimising tips and best practices that can be searched for on the internet for your Citrix environments. This article will collate some of these suggestions and then I would like to get down to some tests to see the improvements that can be made. I will use a new tool called Login PI which is made by those clever people at LoginVSI. This tool can log the speed of your Xenapp connections and session initialisation.

First thing is first – I would like to thank the amazing people out there who have already tested and provided optimisations. To this end I will provide the following links and they are all worth a good read. I have no doubt more recommendations will be added to this post over time.











My Generic Recommendations to apply are taken from all the above.

Generic Recommendations

Install all the recommended Security Microsoft Patches.


  • Set logon time expectation with users without session pre-launch or linger and this is from the point of application click after logon. Setting expectation is paramount. Why would you expect sub 10 seconds for a logon if your normal workstation cannot achieve this?
  • Design your profiles with folder redirection (User Configuration > Policies > Windows Settings > Folder Redirection.
  • Streamline your profile and use UPM exclusions - http://www.carlstalhood.com/citrix-profile-management/#exclusions .
Check the recommended exclusions after every UPM release.
  • Do not map every printer! Use default printer only if possible.
    Start this application without waiting for printers to be created. "Set-BrokerApplication APPNAME -WaitForPrinterCreation:0"
  • Consolidate your GPO and enable Block Policy inheritance. Fewer GPO objects the faster logon will be.
  • Use Load throttling.
  • Use latest Receiver Client.
  • Use Director to provide you with valuable insights as to what parts of the logon process are causing issues.
  • Check logon scripts. Check for old mapped drives, printers that no longer exist.
  • Check for old, stale user profiles (not deleted after logoff). Configure profiles to be deleted after logoff (This does not enhance log on but is best practice).
  • Make sure users have full permission on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \MSLicensing registry key.
  • Disable virtual channels not in use (client drives, audio, printing, com ports, USB redirection) in the Citrix policies.
Disable unused parts of your GPO (Computer or User).

  • Use Asynchronous GPO processing (This should be enabled by default). Let's the system display the Windows desktop before it finishes updating user Group Policy. Setting can be found here:
    Computer Configuration\Administrative Templates\System\Group Policy
Disable or prevent apps from running once shell initialises. Use msconfig or right click app in task manager\Start up and set to disable.

Use Autoruns . This tool highlights what runs when a user logs in to a Windows Server. Run this and disable all that is not required for your environment.

Disable not delete all that is not required under the following:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components and HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components.

  • Remove Delay. VDAs based on Windows 8.x and Server 2012and 2016 Microsoft introduced a delay of 5-10 seconds for operating systems starting from Windows 8. To remove the delay, add the registry value StartupDelayInMSec (REG_DWORD) to 0 in HKEY_CURRENT_USER\Software\Microsoft\Windows \CurrentVersion\Explorer\Serialize   (You can add the key “Serialize” if not present already). This will greatly reduce “interactive logon” delays.
Exclude the whole of \AppData\Local\Google\Chrome. Include the following as a start:

AppData\Local\Google\Chrome\User Data\First Run AppData\Local\Google\Chrome\User Data\Local State
AppData\Local\Google\Chrome\User Data\Default\Bookmarks
AppData\Local\Google\Chrome\User Data\Default\Favicons
AppData\Local\Google\Chrome\User Data\Default\History
AppData\Local\Google\Chrome\User Data\Default\Preference
Slow Initial Login When Using Folder Redirection

Modify the following registry entry, which controls the time wait.


FolderRedirectionWait (REG_DWORD) in milliseconds

Default value is 5000 milliseconds or 5 seconds for each folder.

Valid values would be from 0 to as high as you want to go which would be the DWORD maximum.

Recommend turning OFF Real-time scanning for MCS/PVS created images as they are only read only.

Run Real-time scanning on the network shares that hosts the profiles/home folders and also on the Write Cache location in case of PVS images. Run a full scan on writable images only.
  • Enable the Microsoft policy “Set maximum wait time for the network if a user has a roaming user profile or remote home directory” and set the value to 0. The policy could be found under Computer Configuration – Policies – Administrative Templates – System – User Profiles - https://support.citrix.com/article/CTX133595/
In the system Control Panel, click the Environment  In the System Variables section, click the variable Path. Add the following to the end of the string in the Value field at the bottom of the panel:


Click Set. The changes take effect immediately.
IPv6 turned off if not in use. Slow boots could occur due to IPv6. See also this TechNet article.

To disable IPV6 I would recommend using the registry key instead since there is known issue when you unselect it in the network adapter settings.
Black screen – Might not be relevant after 7.9


Remove the full path from the AppInit_DLLs key.

Key Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Entry Name: AppInit_DLLs

Entry Type: String

New Entry Value: mfaphook64.dll

Old Entry Value: C:\Program Files\Citrix\System32\mfaphook64.dll

Key Location: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows

Entry Name: AppInit_DLLs

Entry Type: String

New Entry Value: mfaphook.dll

Old Entry Value: C:\Program Files (x86)\Citrix\System32\mfaphook64.dll
  • Active Setup. Remove the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}.Make sure that the key is removed for the user profile as well under HKCU . The above key is 2C7339CF-2B09-4501-B3F3-F3508C9228ED - Theme Setup Program (Non Critical)
Delete entry HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC. This can be achieved by a login script.

REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC /va /f
 Redused logon time from 55 seconds to 16-17 seconds. (KB 3161390)


…add the location to the registry exclusion list in Citrix Profile Manager.

For memory consumption, you should consider the following:

Verify that DLLs loaded by an app are not relocated.

Relocated DLLs can be verified by selecting Process DLL view, as shown in the following figure, by using Process Explorer.

Here we can see that y.dll was relocated because x.dll already occupied its default base address and ASLR was not enabled

If DLLs are relocated, it is impossible to share their code across sessions, which significantly increases the footprint of a session. This is one of the most common memory-related performance issues on an RD Session Host server.
Disable NTFS Last Access Timestamps

By default, Windows keeps track of the last time a file was accessed through the “last access” time stamp. If you use this time stamp for backup purposes or you make frequent use of the Windows search function base on time stamp, then you may actually have a use for it.

In other cases you can disable the update and it will speed up Windows by avoiding having to update (write) that time stamp every time a file is read.

fsutil behavior set disablelastaccess 1


Navigate to the following registry location:


Right-click the right-side panel and select New > DWORD Value. Call it NtfsDisableLastAccessUpdate and give it a value of 1.
Here are some other optimizations you can add in to GPO preferences taken from Erics Xenapp Blog.

CtxStartMenuTaskbarUser – Windows 7 look on WS08R2 & XenApp 6.5
StatusTray – Provisioning Services
vDesk VDI – Personal vDisk
DisableStatus – Slow logon with black screen (Citrix XenApp 7.6 Slow Logon)

Generic AV recommendations

Recommend turning OFF Real-time scanning for MCS/PVS created images as they are only read only.

Run Real-time scanning on the network shares that hosts the profiles/home folders and also on the Write Cache location in case of PVS images.
  • Hardcore option – use Citrix universal printer and disallow printer mappings
  • Is the file server optimised? – Check the IOPS on the file server!
Virtual environments

Remove CD-ROM drives from your virtual Citrix servers.

Hide VMware Tools Systray Icon –
HKLM\SOFTWARE\VMware, Inc.\VMware Tools
 “ShowTray”=dword: 00000000
Note all your optimisations that are not out of the box!
Be careful when fully optimising an image as it might inadvertently break other stuff. I would go through my generic recommendations and if this proves a suitable logon time leave it there.

It might be better to trick user expectation by using session pre-launch or linger than go through a completely optimised image as if stuff does break troubleshooting might be difficult.

As with everything proof is in the pudding.
I will reveal the tests of 3 scenarios using a tool called LOGIN PI in a future post.

1) Out of box Xenapp 2016 image.

2) My Rule of thumb recommendations applied.

3) 2016 optimisation using the Citrix Optimiser Tool.
Let’s see what we get!



Troubleshooting VDA Migration from 6.5 to 7.13

Choosing the option to let the 7.13 installation media remove Xenapp 6.5 resulted in a 1603 error.

Error 1603 and the details.


The VDA at this point did not install on the 2008R2 O/S.

I then installed the VDA from the Xenapp 7.13 ISO.

A few install errors appeared but the install carried through once you hit OK.

Interesting to note I checked to see the VDA was registered in XA7 Studio Console and indeed it was.

Problems continued and I was unable to launch any applications.

Checked STA configuration.

Checked Firewall.

Checked install logs in %AppData% on the VDA. (Local folder)

Because I knew there was a problem when installing the VDA on Server 2008r2 image I uninstalled the VDA software and any left over XA6.5 components.

From this point the VDA installed cleanly along with Receiver.

My apps could now be launched.

I will make another attempt at this to see if I can cleanly upgrade the VDA otherwise I will resort to a manual uninstall of 6.5.

I will update this post soon.

I know this is not rocket science but hopefully it will help someone.

The case of GSLB Failure due to ports not being open

Please note that this Citrix KB, https://support.citrix.com/article/CTX110348, states that the public IP address should only be used when there is no VPN connectivity and GSLB has to communicate over the Internet.

“When adding a GSLB site, if the site communicates over the internet only then use the "Public IP" field. For example, when there is no site to site VPN connectivity between the GSLB sites.”
Customers GSLB configuration was not working and this was confirmed by a packet capture taken from the Netscaler.

 = NetScaler IP
 = Subnet IP
 = Subnet IP | GSLB site IP
 = Public IP Remote GSLB Site Configuration

Ports = 22, 3008, 3009

Test Lab = 3010 – communicating between two NetScalers.


In the example above we can first see communication from the GSLB site IP to the remote external.

Then we see communication attempts from the NSIP to the remote external address.

Then we see communication attempts to the SNIP to the remote external VIP.
Netscaler attempts to speak to the external IP of the remote device in this order:

The following trace further proves gslb uses ports 3010 and 22. In the example trace  below they are not opened ports.

Source Address      : : NetScaler IP

Destination Address : :Remote NetScaler GSLB Public IP

Netscaler > System > Network > RPC


GSLB will contact a remote public IP if configured.

It will also try in the following order:




GSLB must have ports 3008,3009 and 3010 open and 22.

Customer had a remote IP configured and this potentially did not need to be present as this was internal GSLB.

Customer also did not have the relevant ports opened up between sites.
  • ADNS IP: An IP that will listen for ADNS queries. For external, create a public IP for the ADNS IP and open UDP 53 so Internet-based DNS servers can access it. This can be an existing SNIP on the appliance.
  • GSLB Site IP / MEP IP: A GSLB Site IP that will be used for NetScaler-to-NetScaler communication, which is called MEP or Metric Exchange Protocol. The IP for ADNS can also be used for MEP / GSLB Site.
    • RPC Source IP: RPC traffic is sourced from a SNIP, even if this is different than the GSLB Site IP. It’s less confusing if you use a SNIP as the GSLB Site IP.
    • Public IP: For external GSLB, create public IPs that are NAT’d to the GSLB Site IPs. The same public IP used for ADNS can also be used for MEP. MEP should be routed across the Internet so NetScaler can determine if the remote datacenter has Internet connectivity or not.
    • MEP Port: Open port TCP 3009 between the two NetScaler GSLB Site IPs. Make sure only the NetScalers can access this port on the other NetScaler. Do not allow any other device on the Internet to access this port. This port is encrypted.
    • GSLB Sync Ports: To use GSLB Configuration Sync, open ports TCP 22 and TCP 3008 from the NSIP (management IP) to the remote public IP that is NAT’d to the GSLB Site IP. The GSLB Sync command runs a script in BSD shell and thus NSIP is always the Source IP.
  • DNS Queries: The purpose of GSLB is to resolve a DNS name to one of several potential IP addresses. These IP addresses are usually public IPs that are NAT’d to existing Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIPs in each datacenter.
  • IP Summary: In summary, for external GSLB, you will need a minimum of two public IPs in each datacenter:
    • One public IP that is NAT’d to the IP that is used for ADNS and MEP (GSLB Site IP). You only need one IP for ADNS / MEP no matter how many GSLB names are configured. MEP (GSLB Site IP) can be a different IP, if desired.
    • One public IP that is NAT’d to a Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIP.
    • If you GSLB-enable multiple DNS names, each DNS name usually resolves to different IPs. This usually means that you will need additional public IPs NAT’d to additional VIPs.

Bullet points taken from Carl Websters superb site:


Removing Problematic Delivery Controller – Method 1

This article will show you how to remove a delivery controller from your environment that is no longer required or functioning. Attempts to re add the controller fail with the same machine name. You do not have access to SQL but you can hand over eviction scripts to your DBA to clean up your Xenapp database.

This procedure worked in my Xenapp 7.x environment with a working Delivery Controller left in my Site.


Example 1

Obtain Controller SID

Launch Powershell as an administrator on your remaining Delivery Controller.

Run Get-BrokerController

Take note of the SID of the Delivery Controller that is no longer functioning.You will need this SID. The state may still show as Active if connections are still active.
Null Connections

Now run the following to null connections to the controller you wish to remove from your Xenapp database. This is carried out on a working Delivery Controller.

Set-ConfigDBConnection -DBConnection $null -AdminAddress DDC02.TSCLAB.COM

Set-BrokerDBConnection -DBConnection $null -AdminAddress DDC02.TSCLAB.COM

Set-ProvDBConnection -DBConnection $null -AdminAddress DDC02.TSCLAB.COM

Set-AcctDBConnection -DBConnection $null -AdminAddress DDC02.TSCLAB.COM

Set-HypDBConnection -DBConnection $null -AdminAddress DDC02.TSCLAB.COM

Set-EnvTestDBConnection -DBConnection $null -AdminAddress DDC02.TSCLAB.COM

Set-MonitorDBConnection -DBConnection $null -AdminAddress DDC02.TSCLAB.COM

Set-SfDBConnection -DBConnection $null -AdminAddress DDC02.TSCLAB.COM

Set-LogDBConnection -DBConnection $null -AdminAddress DDC02.TSCLAB.COM

Set-AdminDBConnection -DBConnection $null -AdminAddress DDC02.TSCLAB.COM

Set-AnalyticsDBConnection -DBConnection $null -AdminAddress DDC02.TSCLAB.COM (XD 7.6 ONLY)
Get-BrokerController will now show the state of the second DDC as Off.

Run Eviction Scripts

Next we need to run the following powershell script using the SID identified on the controller that you are going to remove These commands will generate eviction scripts.

Take care to point the site, monitoring and logging parts to your correct database.

Get-BrokerDBSchema -DatabaseName CITXENSITE -ScriptType evict -sid S-1-5-21-40836310-432886117-331853842-1171 > c:\brokerevict.sql
 Get-ConfigDBSchema -DatabaseName CITXENSITE -ScriptType evict -sid S-1-5-21-40836310-432886117-331853842-1171 > c:\configevict.sql
 Get-HypDBSchema -DatabaseName CITXENSITE -ScriptType evict -sid S-1-5-21-40836310-432886117-331853842-1171 > c:\hostevict.sql
 Get-ProvDBSchema -DatabaseName CITXENSITE -ScriptType evict -sid S-1-5-21-40836310-432886117-331853842-1171 > c:\provevict.sql
 Get-AcctDBSchema -DatabaseName CITXENSITE -ScriptType evict -sid S-1-5-21-40836310-432886117-331853842-1171 > c:\adevict.sql
 Get-EnvtestDBSchema -DatabaseName CITXENSITE -ScriptType evict -sid S-1-5-21-40836310-432886117-331853842-1171 > c:\envtestevict.sql
 Get-LogDBSchema -DatabaseName CITXENLOGDB -ScriptType evict -sid S-1-5-21-40836310-432886117-331853842-1171 > c:\logevict.sql
 Get-MonitorDBSchema -DatabaseName CITXENMONDB -ScriptType evict -sid S-1-5-21-40836310-432886117-331853842-1171 > c:\monitorevict.sql
 Get-sfDBSchema -DatabaseName CITXENSITE -ScriptType evict -sid S-1-5-21-40836310-432886117-331853842-1171 > c:\Sfevict.sql
 Get-AdminDBSchema -DatabaseName CITXENSITE -ScriptType evict -sid S-1-5-21-40836310-432886117-331853842-1171 > c:\adminevict.sql
 Get-AnalyticsDBSchema -DatabaseName CITXENSITE -ScriptType evict -sid S-1-5-21-40836310-432886117-331853842-1171 > c:\analyticsevict.sql (XD 7.6 ONLY)

Execute Scripts on SQL
The above script will generate eviction scripts to run on SQL.
Scripts appear locally on your delivery controller C drive.

Copy these over to your SQL server acting as Principal.

Execute the eviction scripts on the sql server in SQLCMD mode

Open Sql Studio and click OPEN/FILE and choose your .sql script.

Your script will be imported into SQL.

Run your query in SQL CMD MODE.

Then click !Execute
You should get a result similar to the below.

Repeat this procedure for all your eviction scripts that you created.
Run Get-BrokerController. You should only see your remaining Delivery Controllers in your environment.

Clean up Registered Service Instances

Once this is done you need to clean up the registered service instances. You can see the controllers assigned to the services by running the below command.


You will see that the faulty delivery controller is still registered to services.

Run the following in your powershell window.

Get-ConfigRegisteredServiceInstance | select serviceaccount, serviceinstanceuid | sort-object -property serviceaccount > c:\registeredinstances.txt

This will generate a text file on c:\registeredinstances.txt.

Inside this file you will see something similar to the below:
In this example we can see DDC01 and DDC02 are registered.

Once you have the output, you can use an advanced text editor like Notepad++ to select the ServiceInstanceUid’s for the service instances on ddc02 and use the data to build and run a simple unregister script:

Copy your amended text and create a .ps1 file on your local C drive of the Delivery Controller.

Run the file within your administrative powershell cmd window.

Once complete check the registered service instances once again.

You should not see any registered service instances on the delivery controller you have removed.

You should now be able to add your Delivery Controller back in to the environment.