How to Troubleshoot Issues with XD Controller Failing to Connect to On-Premises Site/VDAs

How to Troubleshoot Issues with XD Controller Failing to Connect to On-Premises Site/VDAs

book

Article ID: CTX206522

calendar_today

Updated On:

Description

  1. In multi-zone XenDesktop setup, the Delivery Controller in Azure fails to connect to an on premise primary XenDesktop site.
    User-added image
    The CDF log from the Delivery Controller shows the following error:

    ValidateConfigurationServiceLocationScript(197): Citrix.Console.Models.Exceptions.CommunicationErrorException: There was a problem communicating with the server. ---> System.InvalidOperationException: An invalid URL was given for the service.  The value given was xxxxx.lab.local'.
	   The reason given was: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.
	               An error occurred when verifying security for the message.. ---> System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.
	   --- End of inner exception stack trace ---

  2. Azure virtual machines are not able to register in on premise XenDesktop Controller. Desktop Registration fails though the Azure Virtual Delivery Agent (VDA) is able to ping the on premise Domain Controller and Delivery Controller. Azure VDAs are listed as Unregistered in Desktop Studio.
    User-added image
    The CDF log from Broker agent shows the following error:

    BrokerAgentEvents:###,BrokerAgent.Register.AttemptFailed#S-1-5-21-1163847196-3367621120-309448121-1113#xxxxx.lab.local#100.100.100.14#Citrix.Cds.BrokerAgent.ConnectionFailedException#Error occurred when attempting to connect to endpoint at address http://xxxxx.lab.local:80/Citrix/CdsController/IRegistrar, binding WsHttpBindingIRegistrarEndpoint and contract Citrix.Cds.Protocol.Controller.IRegistrar: System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.
	   --- End of inner exception stack trace ---

Resolution

Set up the primary domain controller (PDC) as the primary time source for the domain, and enable the PDC to sync its time with an external time source.

  1. Using the Group Policy Management Console, create a group policy for the PDC and link it to the correct OU.

  2. In Computer Configuration > Windows Time Service > Time Providers enable the Configure Windows NTP Client policy setting and configure it as follows:

    • NtpServer:0.pool.ntp.org, 0x9 

    • Type: NTP

    • CrossSiteSyncFlags: 2

    • ResolvePeerBackoffMinutes: 15

    • ResolvePeerBackoffMaxTimes: 7

    • SpecialPollInterval: 3600

    • EventLogFlags: 0

    • User-added image

  3. Link the group policy to a WMI filter, making sure it only applies to the PDC.
    User-added image
    User-added image

  4. Create a second group policy for the other domain controllers or member servers in Windows Azure. This policy includes a simple startup script that sets the PDC as the primary time source and re starts the time service. To create this script, copy and paste the following text into a text editor and save it as a .cmd file.

    @echo off
    reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0 /f
    w32tm /config /syncfromflags:DOMHIER /update

    The GPO has the following settings:
    User-added image
    User-added image

  5. Link the GPO to a new WMI filter, making sure that the GPO only affects non PDCs.
    User-added image

  6. Restart the servers to complete the configuration. Verify the time sync settings on member servers by running the following command:
    W32tm /monitor

User-added image

Problem Cause

Microsoft Azure Virtual machine time is not syncing with the on premise Delivery Controller.

By default, any virtual machine running in Microsoft Azure is configured to sync time with its parent Hyper-V host. This provides a time source for the VM during the startup phase.

If you are using XenDesktop in a hybrid cloud scenario with an on-premise domain infrastructure, you need to sync your Azure VMs with the on- premise domain controller. This will require some manual configuration since Microsoft Azure resides in a different time zone than your local domain.

Issue/Introduction

In Multi-zone XenDesktop Setup, the Delivery Controller in Azure Fails to Connect to an On-premise Primary XenDesktop Site and Azure VDAs Fails to Register.
Powered by Wolken Software