To access the Secondary unit without changing HA Primary unit , which I would advise against if you are not sure of the VPN status run the following

execute ha manage 1

Login with the credentials

Then run 

diagnose vpn ike gateway

Lists all the current VPNS

diagnose vpn tunnel stat

Check how many are up

• No Comments

Recently I was trying to add a Windows Feature into a Windows.wim file. 

After mounting the Wim I ran the below on a server 2012 machine

Dism /Image:”c:\temp” /Enable-Feature /FeatureName:NetFx3 /all

However I got 

Error 87 : “enable-feature is unknown”

I had to run the Dism /Image:”c:\temp” /Enable-Feature /FeatureName:NetFx3 /all command on a Windows 10 Box

• No Comments

Meraki’s Advice to enable AD authentication for VPN is to create the Service account as …. Domain Administrator

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Active_Directory_Integration

This is big security no no ( Incase the account gets compromised then the whole domain gets compromised ) 

You can set this account as Domain User which will give the access

• Query the user database via LDAP
• Query group membership via LDAP

You can then assign the WMI permissions for : Query the domain controller via WMI 

by doing the below on the domain controller 

To set the WMI user access permissions

1. Select Start > Run.
2. On the Run dialog, type wmimgmt.msc in the Open field.
3. Click OK to display the Windows Management Infrastructure (WMI) Control Panel.
4. In the left pane of the WMI Control Panel, highlight the WMI Control (local) entry, right-click, and select the Properties menu option. This displays the WMI Control (Local) Properties dialog box.
5. Select the Security tab in the WMI Control (Local) Properties dialog box.
6. In the namespace tree within the Security tab, expand the Root folder. This action lists the available WMI name spaces.
7. Click the CIMV2 namespace to highlight it.
8. Click Security to display the Security for ROOT\CIMV2 dialog box.
9. Click Add in the Security for ROOT\CIMV2 dialog box to display the Select Users or Groups dialog box.
10. Add the domain user account that will be used as your proxy data collection user account. This should be a domain account (not a local computer account), but it does not need to be an account with administrative access.
11. Click OK to close the Select Users or Groups dialog box and return to the Security for ROOT\CIMV2 dialog box. The user account you selected should now be listed in the Name list at the top of the dialog box.
12. Select the newly added user (if it is not already selected) and enable the following permissions:
    • Enable Account
    • Remote Enable
      Enable the permissions by clicking the Allow box, if it is not already checked for that permission. The Enable Account permission should already be selected, but the Remote Enable permission will need to be selected.
13. Click OK to close the Security for ROOT\CIMV2 dialog box.
    The permissions should now be properly set for the proxy data collection user account.

• No Comments

Trying to authenticate a user with their AD credentials and the error displayed

The remote connection was denied because of the username and password combination

In the Event Log on the Meraki 

Also saw these errors

msg: invalid DH group 19.
 msg: invalid DH group 20.

msg: failed to begin ipsec sa negotiation.

You need a TLS Certificate on the Domain Controller and Radius server for Communication , run the below powershell 

New-SelfSignedCertificate -DnsName domaincontroller.domain.local -CertStoreLocation cert:\LocalMachine\My

This will create a cert for you in Personal / Certificates for the Local Computer

You will need to use the MMC to copy this to the Trusted Root Certification Authorities

I also has issues with Radius with the error : msg: failed to begin ipsec sa negotiation.

After following these settings : https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

In the end I had to Clear out the Conditions in the network polices ( Specifically the Calling Station ID ) and re-add

• No Comments

Search for the message in Mimecast 

Then Copy the Header to Clipboard and Search for “Fail”

You can see any DNS checks it might have failed e.g. : 

• No Comments

.

Set Explorer to My Computer not Quick Access

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

LaunchTo DWORD

1 = This PC 2 = Quick access

• No Comments

Trying to add a secondary Storefront server came up with an error during propagation of settings : 

Failed to get the end status of the sever configuration update.
System.ServiceModel.FaultException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Access to the path ‘C:\Program Files\Citrix\Receiver StoreFront\Receiver Clients\Windows\CitrixReceiver.exe’ is denied.
at Citrix.DeliveryServices.ConfigurationReplication.WCF.ConfigurationReplication.EndUpdateConfiguration(IAsyncResult asyncResult)

Looks like the same issue as https://pariswells.com/blog/research/import-stfconfiguration-an-error-occurred-configuring-storefront-diagnostics-method-invocation-failed-because

Deleting : C:\Program Files\Citrix\Receiver StoreFront\Receiver Clients\Windows and \Mac Fixed this issue

• No Comments

If your windows 10 machines get their updates from WSUS then you might get Error 0x800F081F while installing .NET Framework 3.5 on Windows 10. This is probably due to Windows 10 not being able to search your Windows Updates location for the Feature.

Approve these updates

Synchronise Server and try again

• No Comments

Trying to import a Citrix Storefront Config produces the following Error

Import-STFConfiguration : An error occurred configuring StoreFront diagnostics. Method invocation failed because
[System.Collections.Hashtable+ValueCollection] does not contain a method named ‘Contains’.
At line:1 char:1
+ Import-STFConfiguration -configurationZip “c:\Temp\backup.zip” -HostB …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Import-STFConfiguration], Exception
+ FullyQualifiedErrorId : System.Management.Automation.CmdletInvocationException,Citrix.StoreFront.ImportConfigura
tion

You need to wipe your Storefront Config using the below Commands

PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> . .\ImportModules.ps1
PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Clear-DSConfiguration

Then retry import

I got then next error

Import-STFConfiguration : An error occurred configuring StoreFront diagnostics. The running command stopped because
the preference variable “ErrorActionPreference” or common parameter is set to Stop: Cannot remove item C:\Program
Files\Citrix\Receiver StoreFront\Receiver Clients\Mac\CitrixReceiver.dmg: You do not have sufficient access rights to
perform this operation.
At line:1 char:1
+ Import-STFConfiguration -configurationZip “c:\Temp\backup.zip” -HostB …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Import-STFConfiguration], Exception
+ FullyQualifiedErrorId : System.Management.Automation.ActionPreferenceStopException,Citrix.StoreFront.ImportConfi
guration

Deleting 

C:\Program Files\Citrix\Receiver StoreFront\Receiver Clients\Mac

and 

C:\Program Files\Citrix\Receiver StoreFront\Receiver Clients\Windows

fixed this

• 1 Comment

Recently trying to install VDA on a server 2016 server and it comes up with the below error trying to install Remote Desktop Session Host

Error Id: XDMI:334CF235

Exception:
Citrix.MetaInstaller.MetaInstallerException ‘dism’ component failed to install with error 0x800f080c.
at Citrix.MetaInstaller.Prerequisite.RdsComponents.Install(InstallationContext context)

at Citrix.MetaInstaller.InstallationManager.InstallComponent(InstallableComponent component, InstallationContext installContext)

Looking in the logs it’s failing when running this :

dism /quiet /norestart /english /online /enable-feature /featurename:Remote-Desktop-Services /featurename:ServerMediaFoundation /featurename:AppServer /featurename:InkAndHandwritingServices /featurename:DesktopExperience

When I run this manually I get  : 

Feature name DesktopExperience is unknown. 
Feature name InkAndHandwritingServices is unknown.

This is actually already bundled in 2016 , you will need to install VDA 7.11 ( the minimum version that supports Server 2016 ) 

• No Comments