Citrix states in their article: CTX881878

CTX881878 - The Domain does not Enumerate Within the Citrix Management Console

This document was published at: http://support.citrix.com/kb/entry.jspa?externalID=CTX881878

Document ID: CTX881878, Created on: Sep 13, 2001, Updated: Sep 8, 2003

Products: Citrix MetaFrame XP 1.0 for Microsoft NT 4.0 Server Terminal Server Edition, Citrix MetaFrame XP 1.0 for Microsoft Windows 2000

Symptom

When attempting to publish an application to domain user or groups, or when attempting to add a Citrix administrator from the domain, the domain does not appear on the list.

Cause

When the IMA service starts it tries to create a list of domains trusted by the server, which includes:

• The server name

• BUILTIN

• The server's primary domain

• The domains trusted by the primary domain. Ensure User Manager for Domains or Active Directory Domain and Trusts contain correct and active trusts. Below is excerpt of a ctxtrace log that came from an environment in which a non-existent domain was still configured in a trusting relationship. The computer was unable to see the domain under Network Neighborhood > Directory.

MFSrvSs, Info] GetUIDByHostID: hidServer= 0x00001adc

[MFApp, Info] MFAppCache_Initialize called

[WinDrvSS, Info] QueryTrustInfoThread::QueryTrustedInstances() - DsEnumerateDomainTrusts(DS_DOMAIN_PRIMARY) FAILURE or returned no primary domain. The Server must be in a Workgroup. Value = 51f

[WinDrvSS, Info] QueryTrustInfoThread::QueryTrustedInstances() - Primary Domain Name Follows:

[WinDrvSS, Info]

[WinDrvSS, Info] QueryTrustInfoThread::QueryTrustedInstances() - For NT5 - End Value = 0

• MetaFrame XP also tries to find out the type of a domain; that is, whether it is Windows NT 4.0 or Active Directory. No API calls are available for this on Windows Terminal Server. Therefore, MetaFrame XP tries to find the primary domain controller (PDC) for the domain and then checks the operating system version of the PDC. If the PDC operating system version is Windows 2000, it is known to be an Active Directory domain.

To find the operating system version of a PDC, MetaFrame XP calls the Win32 GeWindows Terminal ServerrverGetInfo API. This API may fail with an ACCESS_DENIED error because the PDC is not allowing anonymous connections.

Below is a sample log when the IMA service starts and fails under this condition:

[WinDrvSS, Error] WinDrvHelper::_GeWindows Terminal ServerrverInfo(). Failed. Value = 5
[WinDrvSS, Error] WinDrvHelper::GetDomainType(). _GetDCName(PDC) Failed. Value = 80000001
[MFSrvSs, Info] QueryMFCompatibilityMode: DISABLED.
[WinDrvSS, Error] WinDrvHelper::_GeWindows Terminal ServerrverInfo(). Failed. Value = 5
[MFApp, Error] RemoveAppsFromRegistry: RegOpenKeyEx(hMF20AppsKey) failed. Error: 0x2.
[WinDrvSS, Error] WinDrvHelper::GetDomainType(). _GetDCName(Any DC) Failed. Value = 80000001

• Does Q310611 apply?

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Make sure you back up the registry before you edit it. If you are running Windows NT, also update your Emergency Repair Disk (ERD).

There is a registry value called "RestrictAnonymous" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA key. If this value is set to 1 on the PDC, the API call fails. Possible solutions:

1. Set the "RestrictAnonymous" value to zero on the PDC (you may need to reboot).

2. Windows Terminal Server servers treat Active Directory domains as Windows NT 4.0 domains, unless at least one Windows 2000 server joins the farm and updates the data store to indicate the correct domain type.