The Virtual Desktop is Unable to Register with Controllers in Multiple Domain Environments

RoyATokeshi
September 7, 2008 2:45 pm

Citrix states:

The Virtual Desktop is Unable to Register with Controllers in Multiple Domain Environments

Document ID: CTX117752   /   Created On: Jul 10, 2008   /   Updated On: Jul 10, 2008
Average Rating: not yet rated

productFamilyKey3 = "xd"; topics3 = "General"; productFamilyKey = productFamilyKey3.replace("/","--") + "/"; topics = topics3.replace("/","--") + "/";

Symptoms

When the Active Directory (AD) account for a desktop is in a different domain from the farm organizational unit (OU), the desktop always appears as "Not registered" in the Access Management Console.

The following error appears in the Windows Event Log on the desktop computer:

Event Type:        Error
Event Source:    Citrix Desktop Delivery Controller
Event Category:  None
Event ID:              1190
User:                     N/A
Computer:          <Desktop machine name>
Description: Unauthorized request received from <Controller domain>\<Controller machine name>$.

This occurs on Windows 2000 Native and Windows 2003 Active Directory deployments.

Cause

One cause of these symptoms is that the controller communicating with the Virtual Desktop Agent is not a member of the Controllers group in the farm OU. This should be checked first.

The cause discussed in this article is that the Controllers security group in the farm OU has an inappropriate scope. This cause is specific to cross-domain deployments.

The Controllers group contains the accounts of all controllers in the farm. It is used by the Virtual Desktop Agent to perform access checks on all communication received from controllers. If the Controllers group is configured so that it cannot be used for access checks on other domains, the registration of the Virtual Desktop Agent with the controller fails.

When the Active Directory Configuration Wizard is used to create the farm OU, the Controllers security group is created with a scope of Domain Local. Domain Local groups cannot be used to perform access checks on other domains.

Note: In Windows 2000 mixed mode forests, the Active Directory Configuration Wizard creates the group with a scope of Global and therefore operates correctly.

Resolution

Create the farm OU manually or modify the Controllers group after creation using the Active Directory Configuration Wizard. Details on how to create the OU and choose the appropriate scope for the Controllers group can be found in Knowledge Center article CTX117262 – How to Manually Configure an Organizational Unit in Active Directory for use by XenDesktop.

Note that in order to modify a group scope from ‘Domain Local’ to ‘Global’, the group must first be changed from ‘Domain Local’ to ‘Universal’ and then from ‘Universal’ to ‘Global’. Restart the Desktop Delivery Controller after making the change to the group scope.


This document applies to:

  • XenDesktop 2.0 x32

 



Primary links

Custom Search

User login

Who's new

  • japhabept
  • Rullydery
  • eagenorce
  • rittaarier
  • swasseZex

Who's online

There are currently 0 users and 4 guests online.

KrissysCorner.com RuthSwensonLaw.com CreativeLizardProductions.com

DISCLAIMER:

None of this has anything to do with us, someone else is responsible for the entire thing, and we have no idea who or why. We do not know anything about it. It may be alien life forms for all we know: we haven't a clue. You cannot blame us for anything that may result from your visit. That was entirely your own personal choice, made by you of your own volition, and without our knowledge. We do not, after all, have any control over you and cannot by any stretch of the imagination be expected to accept or acknowledge, be it legally or morally, any accountability for decisions made by you on an independent basis, utilizing your own free will, and without our intervention. We are therefore in no way, shape, or form answerable to anyone for any consequences arising from the aforementioned or indeed any other actions, similar or otherwise, because it was not us that did, or did not do anything. It is not even remotely our fault, and we are in no way prepared or willing to accept any liability, not even slightly, ever. We are, in fact completely and utterly blameless, in that it is definitely not our concern, and no blame can possibly be laid at our doorstep, even if we had one, the possession of which we hereby reserve as being entirely our own free choice. The onus is not on us at all, and furthermore, never has been. The entire matter is wholly beyond our control, and completely out of our hands, each of which are washed scrupulously clean of the whole business. We are not accountable for anything at all, and we hereby categorically deny all responsibility for all that has ever, or will ever happen. Our innocence is therefore wholly beyond doubt and absolutely unimpeachable, and so cannot, under even the remotest or unlikeliest circumstances, be brought into question. By clicking either on a link on this site, clicking on a link that leads to this site, or by arriving at this site by natural or supernatural means, you are in effect accepting responsibility for the fact that it is all entirely your own fault, down to the most miniscule detail, and that you are wholly accountable for whatever outcome may arise as a consequence of the aforementioned action or actions insofar as they were undertaken personally by you on an entirely voluntary basis and without any persuasion, coercion or influence from any party or parties other than yourself. Don't come sniveling to us, we are only figments of your imagination. I also agree that if I am ever with a contributor to this website during mealtimes I agree to pay for any super-sizing of their meal, or at least a nice dessert or one of those foo-foo drinks with an umbrella or a monkey. By admitting to have seen the worthless spineless drivel on this website (also known as content)

I Agree Wholeheartedly and Without Reservation to the above. (Except maybe for that part about the monkey.)

All Your Base Are Belong To Us.

Soylent Green Is People!

Never make a bet with a Sicilian when Death is on the Line!

No. Really, I do agree.