Last September, I posted a script that I had written to address a few issues in the Horizon View environment that I managed at the time.  At the time, I had seven base images for sixteen desktop pools, and scheduling the Patch Tuesday recompose operations would take half the day if I had to do it manually in View Administrator.

After the script was posted, I learned that there were several issues with it.  While it had worked in the environment I originally wrote it for, I hadn’t properly documented all the parameters in the comment-based help.  This was causing odd failures when attempting to run the script.

A couple of weeks ago, I received an email from someone who was hoping to use the script in their environment.  They were experiencing issues with running the script, and after helping them with their issue, I decided to revisit the script and fix the issues.

The changes in this version of the script are:

• Changed the way that the View LDAP database is queried so the Quest AD cmdlets are no longer required
• Removed the Replica Parameter. The script will now detect the correct replica volume from the Pool settings
• Renamed the View parameter to ConnectionServer to better describe what its for
• Made the vCenter, ConnectionServer, and ParentVM parameters mandatory.
• Fixed the comment-based help so all parameters are listed and examples provided.
• Removed all email notification code from the script

You can download the latest version of the Start-Recompose PowerShell script from my Github site.

VMware introduced support for Windows Server 2008 R2 virtual desktops in Horizon View 5.3.  This support wasn’t enabled out of the box.  It required an administrator to edit the View LDAP database to enable the feature and a special command-line only installation of the agent on the target desktop.

Horizon View 6 brought many new changes, including better support for Windows Server desktop.  The first patch set also added better support for this feature.

Why Use Windows Server 2008 R2 as a Desktop OS?

Historically, Microsoft licensing for virtual desktops has been a pain.  In the past, it required connecting endpoints to be covered under software assurance or users to be covered under expensive subscription-based licensing, and there were no service provider licensing options.

Although some of this appears to be changing with the latest per-user licensing SKUs that will be available on December 1st, 2014, the service provider side still hasn’t been fixed.

From a cost perspective, there are some benefits as well.  Windows Server Data Center licensing allows for unlimited Windows instances on licensed virtual hosts.  This can generate significant savings compared to VDA subscriptions.

Note: I am not an expert on Microsoft licensing, and the features and terms of Microsoft’s licensing can change frequently.  Please contact your Microsoft representative if you have any questions on licensing products for virtual desktop environments.

Enabling Windows Server 2008 R2 Desktop Support

Enabling Windows Server 2008 R2 desktop support have been streamlined from Horizon View 5.3, and manual edits to the LDAP database are no longer required.

The steps to enable this support are:

1. Log into the Horizon View Administrator console.

2. Go to View Configuration –> Global Settings

3. Click Edit.

4. Check the Enable Windows Server 2008 R2 Desktops checkbox and click OK.

Installing the Horizon View Agent

The process for installing the View Agent on Windows Server desktops has also been streamlined.  Installing the agent in View 5.3 required a command-line installation with a special switch to force the installer into desktop mode as the installer was geared for servers with the RDSH role. 

That has changed as well, and the installation process for Server 2008 R2 desktops is now the same as installing it on Windows 7/8/8.1 virtual desktops.

Horizon View provides a secure method for granting users access to their desktops from anywhere with an Internet connection on any device without needing a VPN connection.  Now that a desktop pool has been set up and desktops are provisioned, it’s time to set up that remote access.

The Security Server

The View Security Server is VMware’s method of addressing remote access.  This component of the Horizon View environment contains a subset of the Connection Server components, and it is designed to sit in a DMZ and act as a gateway for Horizon View Clients.  It’s essentially a reverse proxy for your View environment.

Each Security Server that is deployed needs a corresponding Connection Server, and they are paired during the installation process.  Because the Security Server is an optional component, each Connection Server is not required to have one, and a Connection Server cannot be paired to more than one Security Server.

Each Security Server also needs a static IP address.  If it is externally facing, it will need to have a publicly addressable static IP.  This IP address does not need to be configured on the server’s network card as both Static 1:1 NAT and PAT work with Horizon View.

Security Server Firewall Ports

In order to enable remote access, a few ports need to be opened on any firewalls that sit between the network where the Security Server has been deployed and the Internet.  If the server is deployed into a  DMZ, the firewall will also need to allow traffic between the Security Server and the Connection Server.

The rules that are required on the front-end, Internet-facing firewall are:

• HTTP – TCP 80 In
• HTTPS – TCP 443 In
• HTTPS – TCP 8443 both directions (if Blast is used)
• PCoIP – TCP 4172 In, UDP 4172 both directions

If you are deploying your Security Servers in a DMZ configuration with a back-end firewall, you need to configure your firewall to allow IPSEC traffic to the Connection Servers.  These rules depend on whether network address translation is used between the DMZ and Internal network.  For more information on the rules that need to be enabled, please see this VMware KB article.

The Security Server will also need to communicate with the Horizon View desktops.  The following ports will need to be opened to facilitate this:

• PCoIP – TCP/UDP 4172 both directions

Note: If you’re using application-aware firewalls like Palo Alto Networks devices, make sure that any application protocols required by Horizon View aren’t blocked between the DMZ and Internal network.  Also, updates to the application signatures or the PCoIP protocol may impact users’ access to virtual desktops.

Configuring Horizon View for a Security Server

The Security Server installation will prompt for a Connection Server to be paired with and a pairing password during the install process.  This must be set up before the installation starts.  To set up the pairing password, take the following steps:

1. In View Administrator, go to View Configuration –> Servers

2. Click on the Connection Servers tab and select the Connection Server you want to pair with.

3. Click on More Commands and select “Specify Security Server Pairing Password.”

4. Specify your pairing password.  When you do this, you will also be able to configure how long that password will be valid for.  If the password is not entered in that time period, or if you encounter errors with the install that are not resolved before the timeout period expires, you will need to create a new password.

Note: Pairing passwords can time out or be invalidated by hitting the back button during the Security Server installation after the pairing password has been entered.  If this happens, the password will need to be recreated using the steps above.

Installing the View Security Server

Once the pairing password is set up, you can start the Security Server installation.

1. Double-click the installer to start the installation.

2. Accept the license agreement

3. The next screen gives you the option to change the installation directory by clicking the Change button.  For this installation, we’ll be installing to the default location, so click Next.

4. Select Security Server

5. Enter the hostname or IP address of the Connection Server the Security Server will be paired with.

6. Enter the pairing password.

7. In order for View Clients to properly connect to the Security Server, you need to configure the External URLs for the server.  The items that need to be configured are:

• External URL – the fully-qualified public domain name and port such as view.remotedomain.com:443
• PCoIP External URL – the public IP address and port number.  If this server is behind a NAT, this should be the IP address that can be reached from the Internet.  Example: 4.4.4.4:4172
• Blast External URL – the fully-qualified public domain name and port used by VMware Blast such as html5desktop.remotedomain.com:8443

8. The View Installer will give you the option to automatically configure the Windows Firewall for View.  Click Next to allow the installer to set up the Windows Firewall.  If you do not want the installer to configure the firewall, you will need to configure these rules manually after installation.

Note: This also configures the IPSec Rules that are needed for secure communication between the Security Server and the Connection Server.

9. Click Install to finish the installation.

10. Click Finish to close the installer.

11. If you log back into View Administrator and go to View Configuration –> Servers –> Security Servers, you should see your newly added Security Server.

Every system needs a way to group entities in order to organize them, delegate administration, and control security on them.  Horizon View uses desktop pools to group desktops, apply Horizon View specific policies, and entitle access to users. 

Horizon View has a few different types of desktop pools.  Each pool handles desktops in different ways, and they each have different purposes.  The type of pool that you select will be determined by a number of factors including the use case, the storage infrastructure and application requirements.

The type of desktop pools are:

• Full Clone Pools – Each virtual desktop is a full virtual machine cloned from a template in vCenter.  The virtual machines are managed by View Connection Servers.
• Linked Clone Pools – Each virtual desktop is based on a snapshot and shares its disk with the parent virtual machine.  Changes to the linked clone are written to a delta disk.  The virtual machines are managed by View Composer.
• Manual Pools – The machines that make up the manual pool consist of virtual and/or physical machines that have had the View Agent installed.  These machines are not managed by View.
• Terminal Services Pool – The machines that make up these pools are Windows Servers with the Remote Desktop Services Role installed.

There is one other choice that needs to be selected when creating a desktop pool, and that is the desktop assignment type.  There are two desktop assignment types:

• Floating Assignment – Desktops are assigned to users at login and are returned to the pool of available desktops when the user signs out.
• Dedicated Assignment – Desktops are assigned to a user, and the user gets the same desktop at each login.  Desktops can be assigned automatically at first login or manually by an administrator.

For this walkthrough, I will be doing an Automatic Assignment Linked-Clone desktop pool.  These pools are usually referred to as Non-Persistent Desktop Pools.

Before you can set up a Linked Clone pool, View Composer will need to be installed and configured.

1. Log into View Administrator.  Under Catalog, select Desktop Pools.

2.  Click Add to add a new pool.

3. Select the Pool Type that you want to create.  For this, we’ll select Automated Pool and click Next.

4.  Select whether you want to have Floating or Dedicated Desktops.  For this walkthrough, we’ll select Floating and click Next.

Note: The Enable Automatic Assignment option is only available if you select Dedicated. If this option is selected, View automatically assigns a desktop to a use when they log in to dedicated pool for the first time.

5. Choose the type of virtual machines that will be deployed in the environment. For this walkthrough, select View Composer Linked Clones and click Next.

6. Each desktop pool needs an ID and a Display Name.  The ID field is the official name of the pool, and it cannot contain any spaces.  The Display Name is the “friendly” name that users will see when they select a desktop pool to log into.  You can also add a description to the pool.

7. The next screen after setting the pool name is for the pool settings.  There are a lot of options here, that control how the pool will behave.  Some of the options are:

• If the pool is enabled
• Default power state of desktops
• Display protocols
• Adobe Flash settings

8. The next screen will allow you to configure the provisioning settings for the pool.  This screen allows you to control provisioning behavior, computer names, and the number of desktops provisioned in the pool.

9. The next screen allows you to set up a special non-persistent disk for disposable files.  Disposable files are classified as temporary files and page files.  If a disposable disk is used, these files will be redirected to here, and this disk is deleted whenever the VM is shut down.

This screen allows you to determine how the virtual desktop will handle these files.

10. Select the option to store Replicas on a separate datastore if you want to place them on a different storage tier.  Andre Leibovici has a good article on the benefits of placing Linked Clone replicas on a different datastore.

11. After you choose whether or not to place the Replica Disks on a separate datastore, you need to configure the pool’s vCenter settings.  This covers the Parent VM and the snapshot that the Linked Clones will be based on, the folder that they will be stored in within vCenter, and the cluster and datastores that will be used.

In order to configure each setting, you will need to click the Browse button on the right hand side of the screen.  Each step must be configured in order.

11-A. The first item that needs to be configured is the Parent VM that the Linked Clones will be based on.  Select the VM that you want to use and click OK.

11-B. The next step is to select the Parent VM snapshot that the Linked Clones will be based on.  Select the snapshot that you want to use and click OK.

11-C. After you have selected a Parent VM and a snapshot, you need to configure the vCenter folder in the VMs and Templates view that the VMs will be placed in.  Select the folder and click OK.

11-D. The next step is to place the pool on a vSphere cluster.  The virtual machines that make up the desktop pool will be run on this cluster, and the remaining choices will be based on this selection.  Select the cluster that they should be run on and click OK.

11-E. The next step is to place the desktops into a Resource Pool.  In this example, I have not resource pools configured, so the desktops would be placed in the Cluster Root.

11-F. The final two steps of this section are to select the datastores where the Linked Clones and the Replicas will be stored.  Linked Clones can be stored on multiple datastores, so you can select multiple datastores in this section.  You can also configure View to allow the datastores to be overcommitted by changing the Storage Overcommit option on each datastore.

11-G. Replicas can only be stored on a single datastore.  Select the datastore that you want to store them on and click OK.

Note: After you have configured the Replica Datastore, you may receive the following warning about storing Replicas and Linked Clones on local datastores.  If you are using a SAN or a NAS and not storing any Replicas or Linked Clones on local datastores, you can ignore this message.

12. The next screen is for configuring the advanced storage options.  The three options that can be configured on this screen are the View Storage Accelerator, disk space reclaimation and the option to use native NFS snapshots.

If you use View Storage Accelerator or disk space reclamation, you can configure blackout times where vCenter will not run these tasks.

13. To set the blackout times for the pool, click the Add Button and select the days and times when you do not want these operations to run.  You can set multiple schedules.

14. After you have configured the advanced storage options, you need to configure the Guest Customization settings.  This screen allows you to select the domain and organizational unit for the desktops and whether Sysprep or Quickprep will be used to prepare the desktops.

15. Review the settings for the pool and verify that everything is correct.  Before you click Finish, check the Entitle Users checkbox in the upper right.  This will allow you to select the users and/or groups who have permission to log into the desktops.

If you need to make a change to the pool settings, the left-hand column contains links to each page in the wizard.

17. After you click Finish, you will need to grant access to the pool.  View allows you to entitle Active Directory users and groups.  Click Add to entitle users and groups.

18. Search for the user or group that you want to add to entitle.  If you are in a multi-domain environment, you can change domains by selecting the domain from the Domains box.  Click on the users or groups that you want to grant access to and click OK.

Note:  I recommend that you create Active Directory security groups and entitle those to desktop pools.  This makes it easier to manage a user’s pool assignments without having to log into View Administrator whenever you want to make a change.

19. You can check the status of your desktop pool creation in vCenter.  If this is a new pool, it will need to clone the VM into a Replica before it can create the Linked Clone desktops. 

Once the desktops have finished composing, you will be able to log into them through VMware Blast or the Horizon View client. 

I realize that there are a lot of steps in the process of creating a desktop pool.  It doesn’t take nearly as long as it seems once you get the hang of it, and you will be able to fly through it pretty quickly.  These steps can also be automated using the View PowerCLI cmdlets from any Connection Broker in the environment.

A virtual desktop environment is nothing without virtual desktops.  Poorly performing virtual desktops, or virtual desktops and pools that aren’t configured properly for the applications that are being deployed, can turn users off to virtual desktops and sink the project.

How you configure your desktop base image can depend on the type of desktop pools that you plan to deploy.  The type of desktop pools that you deploy can depend on the applications and how you intend to deploy them.  This part will cover how to configure a desktop base image for linked clone pools, and the next part in this series will cover how to set up a linked clone pool.

Before You Begin, Understand Your Applications

Before we begin talking about how to configure the desktop base image and setting up the desktop pools, its very important to understand the applications that you will be deploying to your virtual desktops.  The types of applications and how they can be deployed will determine the types of desktop pools that can be used.

A few factors to keep in mind are:

• Licensing – How are the applications licensed?  Are the licenses locked to the computer in some way, such as by computer name or MAC address?  Is a hardware key required? 
• Hardware – Does the application require specific hardware in order to function, or does it have high resource requirements?  This is usually a consideration for high-end CAD or engineering applications that require a 3D card, but it could also apply to applications that need older hardware or access to a serial port.
• User Profile and User Installed Applications – Are user profiles being centrally managed, or are they remaining local to the virtual desktops? Are users able to install their own applications?
• Application Remoting – Can the applications be installed on a terminal server and presented to the users using an application remoting technology such as XenApp or Horizon Application Remoting?

Once you understand the applications that are being deployed to the virtual desktops, you can start planning your pools and creating your base images.

Supported Operating Systems

Horizon View only supports virtual desktops running Microsoft Windows.  The versions of Windows that are supported are:

• Windows 8.1 Enterprise or Professional
• Windows 8 Enterprise or Professional
• Windows 7 Enterprise or Professional
• Windows Vista Business or Enterprise SP2 (32-bit only)
• Windows XP Professional SP3 (32-bit only)

Windows Server 2008 R2 is supported as a desktop operating system.  Configuring support for Server 2008 R2 desktops is easier in Horizon 6.0, and it only requires checking a single checkbox instead of editing the Horizon LDAP database.

Terminal Server sessions running on Windows Server 2008 R2 or newer are also supported, but I will cover those in another series.

For this part, we’re going to assume that we’re building a desktop running Windows 7 or Windows 8.1.  This will be more of a high-level overview of creating a desktop template for Horizon View, and I won’t be doing a step-by-step walkthrough of any of the steps for this section.

Configure the VM

Building a desktop VM isn’t much different than building a server VM.  The basic process is create the VM, configure the hardware, install the operating system, and then install your applications.  Although there are a few additional steps, building a desktop VM doesn’t deviate from this.

You should base the number of vCPUs and the amount of RAM assigned to your virtual desktops on the requirements for of the applications that you plan to run and fine tune based on user performance and resource utilization.

The recommended hardware for a virtual desktop is:

• SCSI Controller – LSI SAS
• Hard Disk – At least 40GB Thin Provisioned
• NIC – VMXNET3
• Remove Floppy Drive, and disable parallel and serial ports in BIOS
• Remove the CD-ROM drive if you do not have an alternative method for installing Windows.

Note: You cannot remove the CD-ROM drive until after Windows has been installed if you are installing from an ISO.

BIOS screen for disabling Serial and Parallel ports and floppy controller

You’ll notice that I didn’t put minimums for vCPUs and RAM.  Sizing these really depends on the requirements of your user’s applications.  I’ve had Windows 7 64-bit desktops deployed with as little as 1GB of RAM for general office workers up to 4GB of RAM for users running the Adobe Suite.

Install Windows

After you have created a VM and configured the VM’s settings, you need to install Windows.  Again, it’s not much different than installing Windows Server into a VM or installing a fresh copy of Windows onto physical hardware.  You can install Windows using the ISO of the disk or by using the Microsoft Deployment Toolkit and PXE boot to push down an image that you’ve already created.

When installing Windows for your desktop template, you’ll want to make sure that the default 100 MB system partition is not created.  This partition is used by Windows to store the files used for BItlocker.

Since Bitlocker is not supported on virtual machines by either Microsoft or VMware, there is no reason to create this partition.  This will require bypassing the installer and manually partitioning the boot drive.  The steps for doing this when installing from the DVD/ISO are:

1. Boot the computer to the installer
2. Press Shift-F10 to bring up the command prompt
3. Type DiskPart
4. Type Select Disk 0
5. Type Create Partition Primary
6. Type Exit twice.

Once you’ve set up the partition, you can install Windows normally.  If you’re using something like the Microsoft Deployment Toolkit, you will need to configure your answer file to set up the proper hard drive partition configuration.

Install VMware Tools and Join the Template to a Domain

After you have installed Windows, you will need to install the VMware tools package.  The tools package is required to install the View Agent.  VMware Tools also includes the VMXNET3 driver, and your template will not have network access until this is installed.   The typical installation is generally all that you will need unless you’re using vShield Endpoint as part of your antivirus solution.

After you have installed VMware Tools and rebooted the template, you should join it to your Active Directory domain.  The template doesn’t need to be joined to a domain, but it makes it easier to manage and install software from network shares.

Install View Agent

After you have installed the VMware tools package and joined your computer to the domain, you will need to install the VMware View Agent.  The default install of the View Agent includes all of the features except for PCoIP Smartcard support.  The agent install will require a reboot after it is completed.

Installing Applications on the Template

After you install the View Agent, you can begin to install the applications that your users will need when they log into Horizon View.

With tools like Thinapp available to virtualize Windows applications or layering software like Unidesk or Cloud Volumes, it is not be necessary to create templates for all of the different application combinations.  You can create a base template with your common applications, such as your office suite, pdf reader, etc, and then either virtualize or layer your other applications on top of that.

“Finalizing” the Image

Once you have the applications installed, it is time to finalize the image to prepare it for Horizon View.  This step involves disabling unneeded services and making configuration settings changes to ensure a good user experience.

There are two ways to do this.  The first is to use the batch file provided by VMware in the Horizon View Optimization Guide for Windows 7 and Windows 8.  The other option is to use the VMware OS Optimization fling.

Before you shut the virtual machine down to snapshot it, verify that any services required for applications are enabled.  This includes the Windows Firewall service which is required for the View Agent to function properly.

Shutdown and Snapshot

After you have your applications installed, you need to shut down your desktop template and take a snapshot of it.  If you are using linked-clones, the linked-clone replica will be based on the snapshot you select.

That’s a quick rundown of setting up a desktop template to be used with Horizon View desktops. 

In the next part of this series, I’ll cover how to create a linked-clone pool.