Browsed by
Author: Gregory

CMS Northbound Interface Integration

CMS Northbound Interface Integration

When designing the fiber management system (FMS), one feature that is heavily needed is a way to provision, change, delete and query customer hardware. Being a Calix shop, we have our access hardware, and a CMS (Calix Management System) which aggregates all of our access systems together. The result is a one stop shop where ONT’s can be managed across one interface. Upon our first deployment, we used the CMS client to provision and manage all of our ONTs for customers. We quickly hated using the client for most of our operations. Now, I am in no way trying to bash on Calix’s software, I believe CMS is a great tool. The client on the other hand… I cannot say the same.

CMS features a northbound interface, which uses an XML http request to exchange information between CMS and 3rd party applications. The CMS API is by far my most favorite/hated feature of CMS. The ability to use any language to make and retrieve requests is awesome, but can be difficult in some languages. Let me provide a bit more information. My FMS system uses PHP for a majority of its server side rendering. I know how bad PHP is, but in the case of making a system web accessible from any device drastically limited my options. Further details on why I used PHP will be made available in later posts. The access diagram for the FMS is below.


Since PHP is a server side translator, it allows our information to processed within the same network as our CMS server, ultimately allowing clients to process information in the management VLAN where the CMS and Calix equipment resides. With the ability to serve clients with data via web, any mobile or web accessible device can use the FMS.


Tying it all in

Given my current situation, I cannot explain in detail what I have fully done with this API, but what I can explain are some of the modules we tied the northbound interface in with. Some modules that reside within the FMS are: customer records and basic inventory. Which means that we can record our ONT inventory and tie it in with customers, allowing me to knew exactly what customer has what piece of equipment. Further with the northbound interface module, I can use the inventory data to generate a configuration linked with a customer and have one click customer provisioning. Behold! I have made our jobs so much easier! Upon creating a customer, I can provision an ONT in under 15 seconds, record where it is going, where it was and I don’t even have to unpack the unit. I can hand it to an installer, whom installs it at a customers house, plugs it in, turns it on and it provisions instantly. Now, while a lot of this does not involve the northbound interface, you can see how I have taken three tasks and combined them in to a fluid cycle. (Note, this cycle does not work for everyone, or every deployment, which is why I am currently redesigning the process). Inventory is linked to a customer, and linked to CMS, and the installer does not have to carry a buttset around and punch in registration ID’s. I wish I could explain more, because with the addition of other modules, and more detail, A LOT more cool stuff can be automated.


Building the module, take one

When I first designed this module, I honestly knew almost zero about http requests, Python, XML, SOAP, PHP, JS and Love. Refrain from laughing as much as possible when you see my code and keep in mind that I was learning. Also keep in mind that once I got this working, it became the bomb-diggity for our company. I decided to use Python, because WHY THE HECK NOT?!? Mostly I was aware of how bad PHP was, and I wanted to make the service available even in non web based environments (Yes, I am aware that CLI PHP is thing, but still I wanted to refrain from using it as much as possible). So I got to work writing python scripts that would take in FSAN numbers, ONT ID’s, bandwidth profiles and everything else as arguments. I could then process it and and spit out the result. The code was messy, some outputs were XML, others were strings, and some just returned a 1 or 0. If you want to see how bad it is, here is the link to the github repo. A lot has changed and is not reflected there. It is now a lot more structured and allow for provisioning of SIP services, RG interfaces, and other stuff.


Provisioning was a simple three click process, auto assigned the ONT to a customer, and made an note in the inventory on the whereabouts of an ONT. It even allowed for error checking allowing us to make sure things went smoothly during the provisioning process.


CMS integration was a module added in the early stages of the FMS development. After the module was created, it didn’t really change mostly because it just worked. Only until recently, have I had to make drastic changes to the FMS, which pretty much required a redesign of the whole module.

The process effectively went from this


to something like this


🙁 I am sorry that I cannot show you the inner workings of my new process, but I have been instructed that I cannot display the secret sauce. As you can see, this new flow is a lot more structured and has a lot more going on. What I can explain is what makes the system a heck of a lot better than before.


Dynamic, TO THE MAX

One benefit this new module brings is the added dynamic that previously did not exist. The old code relied on a config file that stored all of the variables for connecting to CMS.


This limitation allowed you to only query one system from one CMS server. The new module allows for dynamic addition and deletion of systems, meaning that multiple CMS hosts with multiple access systems can be queried.

access systems blur

One feature, or more rather byproduct (but works as a feature) is that the result is transferred to the client as an http request. This allow AJAX queries from server to client to occur instantly and be encoded in JSON. I effectively created and API for an API :P. I feel that there is potential to allow access from 3rd party devices/systems in the future.

I must wrap up this post, but before I do, I want to show you a screenshot of what kind of useful data is possible through the new Calix-NIAPI module.


It is certainly cool what can be done when you tie services into one another! If you have questions regarding this system, processes involved please contact me at


print_r(“hello world”);

print_r(“hello world”);

First post!

If you are unfamiliar, I am currently working on a Fiber Management System for my job, which includes all aspects of maintaining and building a fiber network (I know, a lot). This post is the kick off of something that has already taken 8 months of my life, and I believe will consume many more in the future. Follow along as I fumble through work, attempting to grasp concepts and lingering issues with coding and office politics.

My hopes are to eventually release this software as a service to smaller ISP’s wishing to deploy and maintain fiber networks. After all, that is its main purpose.


Hoodland Library Transition

Hoodland Library Transition

Last month, SandyNet had to get Internet connectivity from the old Hoodland library, across the street, to the new one. Part of the switch required a new line to be drug from our splice case on Welches road to the new library. Northsky got an OFS 24 pair (I think?) to the site, but left it coiled up outside. So, the team and I performed the first ever SandyNet aerial splice.

In addition, Chris and I did a tower climb a week or so later and drug 16 Ethernet cables up our Waybill tower. From there, we performed a few rescue training exercises, and called it a day.


It has been a while since my last post, and a lot has happened since then. I have spent a lot of time writing a piece of software and customer, record, helpdesk management system.

Introducing Speedtest Stats!

Introducing Speedtest Stats!

Within the past couple of months, we set up a speedtest server, that our customers, and everyone else can test to, to see how fast their internet is to Sandy, OR. All tests and accessible information is stored on OOKLA’s reporting site, and can be downloaded in a CSV format. What we wanted to do is graph this data. Instead of using an MS product like Excel to graph data, and updating records and adding new tests to an existing table, I thought I would make a PHP/MYSQL driven site to graph statistics. The project was fun, and when I was done, I waned it to be publicly accessible and usable. For that reason, I got approval from my boss to place the project on GitHub.

Version 0.1.1 is out, and it will probably stay that way. I figured, maybe someone else out there wants to be able to graph their speedtest data. Maybe. We have over 15,000 tests in the past couple of months, making a sql driven approach mighty attractive. Take a look at the screenshots below to see what it all does!

speedtest-frontpage speedtest-cityofsandy


Now, I have never really polished a project, and this is the closest I have ever been to one. It gets the job done, and take a little bit of configuration, but it does work, and people can download it and modify it to their liking.

The Xen Struggle is Real

The Xen Struggle is Real

I woke up at 6am this morning to a phone call from my boss. Barely awake, I answered in a very tired voice, “Hello.” His response was “The Xen environment is down.” I mean, it is read only Friday, this isn’t suppose to happen. Now, our environment is pretty small, but it runs all of our critical services, DNS, DHCP, AD, Monitoring, File storage. I had my boss ssh into the box and see if there were any zombie processes. Sure enough, there were. Now, before, we had processes become zombies when our log files filled up the  log partition and made everything choke. Now this was on XenServer 5.6 and things are different now. I was able to assign myself a static IP from my room and get into XenCenter, to find all of our hosts in maintenance mode. This would explain the zombie processes and the reason no VM’s were on the hosts. I attempted to bring each one out of maintenance mode, but received an error (see below).


I got into console of the master, and ran xe pool-ha-disable and boom, I was able to spin up all of our VM’s. Once we restored service to the city, I attempted to think about what caused this issue. Obviously it was related to HA, but why would that cause all of our VM’s to stop running. Part of the solution was found in the alerts section of XenCenter.



After cycling through each host, HA ran out of working hosts to break, so it just killed all of our VM’s and placed all of the servers into maintenance mode. Since I as still really tired, and wanted to get some sleep before my classes, I told my boss to open a case with Citrix, and have them dig through the logs. I went back to bed.

Turns out our NIC drivers were out of date, and it caused instability within our hosts. The resolution was to install the some updated drivers from XenServer 6.2. It would seem that the upgrade to 6.5 wiped the already updated drivers, and they needed to be re-installed. Woot! Same, day I made my drive back up to Sandy, and did a late night BIOS upgrades of our IBM and Dell hosts, and installed updated Broadcom and Intel NIC drivers. I followed the guide from a Citrix support page to upgrade them. The upgrade took no time at all, but the migration of VM’s over a 1Gbps connection was more than slow. After rebooting each host, the applied drivers should resolve our issue. This upgrade was performed on 4/3/15 and we have not had any reported issues yet.

We still have a case open with Citrix though, and we have not re-enabled HA just yet. I am waiting to find time to call and chat with them. According my boss, if call back in, they can assist and help get HA configured, tested and stabilized. I’ll update this post when that is completed, and show the results and process.

In addition, I made a post over at /r/citrix regarding my frustrations. The responses didn’t quite yield the response I was looking for, but were none the less interesting.


Migrating from IE9 to IE11

Migrating from IE9 to IE11

Now, I have put off this task for a long time. IE9 is old and crappy. I remember when it came out in 2011, and promised speeds as fast as Firefox 3.6… Well it turns out, every federal or state law enforcement site requires its users to use IE8. Custom active x applets and other junk that they use to ‘secure’ data, is so custom that it is only compatible with specific version of IE, which is not secure. The fact that I have to use an old, non supported version of IE to ‘securely’ which is incredibly stupid. Diverting from Law Enforcement, other sites that are not standardized require the use of IE9 in compatibility mode just to display data correctly (I am looking at you Granicus).


Now, the form of this post is step by step instructions of what I have done. As you read through it, I may make a change, and then end up reverting it, because it sucked. Do not follow this a guide, but rather use it as documentation. I will most likely provide some form of process once I finish the migration.

3/11/15 – I decided to actually start preparing for the migration. For the longest time our WSUS server has denied the deployment of IE10 and IE11.

3/12/15 – Microsoft announced that an update, KB3033929 causes boot loops in Windows 7. This scares me, since I thought the installation of IE11 caused issues.

3/17/15 – It seems that Microsoft has been releasing a bunch of updates lately, and there is a huge bundle of them that need to be installed. IE11 has currently caused no problems, and is slowly being installed on other computers. Let’s continue to hope, as things move along smoothly. We have only had a few cases of our servers logging in with this error. It seems to have been resolved by updating the remaining updates for IE11 after the initial install.

3/22/15 – According to Lansweeper, most of our computers have been upgraded to IE11, and we haven’t had any issues so far. Fingers crossed that it won’t cause any more issues.


As of 3/22/15 it looks like there are no current issues. Either law enforcement and states sites are being updated, or IE is working better or compatibility modes is working well enough. It was decided that if a site has issues with IE11, we will set users up with a XenApp subscription where they can use a remote app for IE9. With this setup, we hope we can keep IE up to date and secure, while still allow access to any site.

XenServer upgrade from 6.2 to 6.5

XenServer upgrade from 6.2 to 6.5

XenServer 6.5 debuted in January of 2015, and naturally I wanted to a little before upgrading to a new major release in our production environment. That time came on March 21st, 2015. I scheduled to perform a pool upgrade to 6.5 after hours. This post will consist of the upgrade process, any issues that arose and the result and thoughts about the new version of XenServer. Release notes for XenServer can be found here. 

Prepping for the upgrade – I learned the hard way when doing  a rolling pool upgrade from 6.02 to 6.1, Always read the documentation before upgrading. I logged into Citrix and overlooked the upgrade process for XenServer 6.5 under the XenServer Installation Guide. I performed the database backup and offloaded it through SFTP. Then I downloaded XenServer 6.5 and uploaded the extracted files to an FTP site. After doing a few small housekeeping tasks (shutting down non critical VM’s), I was ready to begin the upgrade

Attempt 1 – I first tried to do an automatic rolling pool upgrade via FTP. After applying one last hotfix, I began to start the pool upgrade. The master rebooted, and said it was installing. After about 20 minutes an error came up that it had failed. Instead of trying to troubleshoot it, I burned XenServer to a CD and began the upgrade again only this time, in manual mode.

Attempt 2 – This process is a little longer, but I feel more confident upgrading via CD rather than an FTP site, which after beginning the upgrade process, realized that my FTP site was on a virtual machine hosted by the Xen hosts. Shouldn’t have really mattered, but still not super settling. The master took the upgrade no problem, and I then began on the other two hosts. As I waited for machines to migrate, I spent a large amount of the time listening to music and surfing reddit. Each Xen hosts upgraded, and there were no other problems.

My thoughts on why the pool failed to update automatically, was that I didn’t point the Xen Installer to the proper FTP directory. Either way, the manual upgrade worked flawlessly, it just took a bit more time and I expected.


The only thing that annoyed me was the amount of alerts and notifications that showed up.

I started the upgrade at 11pm, and finished up around 2:30am. It was by far that easiest XenServer upgrade I ever performed, and I am hoping that we will see noticeable performance increase in performance. Having a x64 Dom should be nice, and updated templates will allow us to begin upgrading our Ubuntu servers to 14.04 LTS.

Although, I don’t know if anything is really broken. Our monitoring systems are having no issues, but we’ll see on Monday if users have any issues.


Customer Configuration of Calix 844 GigaCenter’s

Customer Configuration of Calix 844 GigaCenter’s

We have been deploying Calix 844’s for the past few months at SandyNet, and we have had almost no issues, and have received almost no complaint regarding the units. Calix did a great job designing these units, and in my personal opinion, they are a large step up from the 836g units. Receiving them almost hot off the production line, we quickly rushed these things to deployment, and I will admit, I think they are one of the big reasons our fiber deployment has been so successful so far.  From a customer standpoint, they need basic services such as reliable fast internet, dual band WiFi and an easy to use UI. The GigaCenter combines all of those main features, and more into one slick looking box. We can even remote manage these boxes so if a customer does not know how to change their SSID, or security key, we can now do it from the comfort of our office(through consumer connect), instead of making a house call for a five minute fix. So far, we have been extremely satisfied with these ONT’s, since they simply work. Time and time again, at SandyNet, we have acquired different devices in hope of finding a solution that simply works. We did not find it in Ubiquiti, Ruckus, Proxim, Mikrotik, etc. Mixing and matching these pieces of hardware in a production environment can sometimes result in a lot of problems (Like trunking between Mikrotik and Cisco). Building a stand alone Calix system from the ground up, has been an overwhelmingly pleasant experience. Okay, I will admit, it was rough until we understood the system and how to configure it, but once we got our bearings, it was pretty smooth sailing. Some minor issues were firmware bugs that were quickly resolved. And we mean quickly. We’re not talking about firmware upgrades that take six months and are more detrimental than useful, *cough* UBNT. Simple problems with memory leaks or incompatibility with 844’s and some new Macintosh’s were resolved in a very reasonable time.  Firmware upgrades are a breeze, and overall, having such a great ONT has already saved up so much time, and has allowed us to focus on other projects and problems such as continuing the deployment of our fiber network.

From a technician standpoint at SandyNet, the provisioning of an ONT is very easy. We pull the unit off the shelf in the morning, and input the FSAN into CMS and record it in our database, and send the unit out with our installer to be placed in a customers home. Once installed, the ONT upgrades its firmware, reboots and then applies its configuration. That is all there is to it. The customer is now online. One unit contains Ethernet, WiFi, RJ-11 ports and modem into one box. Customers no longer need to purchase a wireless router, and most of our deployments contain only an 844. The simplicity of the device makes it mighty attractive to our customers and us, since it is less complicated for the customer, and it is all squeezed into one device that we can manage easily. Most of our customers do not know how to change their WiFi options, or what the best practices are, so they often call in after being installed, requesting us to help configure the device. Other customers have enough background knowledge to login locally and change their options. Either way, the setup mo-betta than our previous infrastructure.

Now, all I have done is praise Calix for these units. That is not all I intend to do. Some customers have searched for help in configuring their ONT 844’s, and that is what is next.

Configuration of the 844-

Our installers should be placing a sticker on the ONT that lists the factory default settings for the modem. It should include the SSID and Key to connect to the WiFi, and the default IP for the web interface on the device. Below that, there is a username/password that is the default login info for the device. Before customizing your modem, complete the following.

Connect the computer you are using to configure the modem to one of the Ethernet ports on the ONT. If you are changing WiFi settings over WiFi, you’re gonna have a bad time. Once you are connected through a patch cable, you may open up your favorite browser and navigate to the gateway IP (Generally and input the username and password (Username: admin, Password: *checkthesticker*). You should be greeted with a friendly looking page like below.



From here, we have a few options:

Status – will show you information regarding the unit, and its many status including devices, configurations of WiFi and any associated devices.

Quick Start – is a simple configuration wizard that helps customers quickly configure their ONT.

Wireless – provides all options for configuring any WiFi related feature.

Utilities – provides troubleshooting programs to help determine possible problems, or view log information

Advanced – holds all of the less common options for ONTs including port forwarding, QoS, Routing and Network options

Support – provides details when receiving help from a SandyNet technician

Most of the configuration will simply be done under the Wireless tab, since everything else is pre-configured, or not commonly changed.


Under the Wireless tab, there are four side menu buttons, 2.4G Network, 5G Network, Advanced Radio Setup and WPS. For the sake of making this simple, we are only going to operate within the 2.4 and 5 G Network buttons.

Note: 2.4G is currently the most common frequency for WiFi, so this radio should probably be used. 5G is standard on all devices within the past couple of years, and can be enabled if your devices support it.

First, lets make sure we have the 2.4 radio turned on. It is on by default, but select the Radio Setup button under the 2.4G Network button the left hand side. make sure the Wireless radio is set to on and now off. Hit apply after you have made your change.


Next, lets give our 2.4GHz network a good name. Select the SSID Setup tab and select the SSID that is named CXNKXXXXXXXX and make sure it is enabled. Now you get to be creative (or not so creative) and change the name of your wireless network. A lot of our customers want to keep their previous WiFi configuration, so if you wish to do so, fill out the Rename SSID box with your previous wireless network name (It is case sensitive). If not, come up with a good identifier for your WiFi, and no, FBI-surveillance-van-3 is not a good name, since everyone seems to set their WiFi to that.



Hit apply and lets move onto security.

Under the security button, you will need to now select your newly renamed SSID from the dropdown menu labeled SSID (Network Name). Now we get to select the security type.

The following options are available:

WPA-WPA2-Personal – Combines both encryption methods of WPA and WPA2 for maximum compatibility of devices. This will except the passphrase in both encryption levels, making is less secure than WPA2, but most function for all devices.

WPA2-Personal – The strongest encryption method for WiFi at the time of this article. Any non-compatible WPA2 devices will be unable to connect, so make sure all of your devices are compatible.

WEP – Is extremely weak, and in my book is not an encryption. There is no algorithm, just a HEX code encrypting the data, making it extremely unsecured.

Security-Off – makes the network open for anyone to connect. There is no password.

Pick your desired security type and then move on to the encryption type. For WPA and WPA2, I recommend AES, since it is the best. For compatibility you may enable TKIP or both.

Now you can set your security key. If you wish to keep the ridiculously long default key, be my guest, but most people want to name it to their pet or something easily guessable. Hit the button Use Custom Security Key and type in your key. Hit Apply when you are done.



Woot! you have configured your 2.4G network to be whatever you wanted! If you wish to enable the 5G network, do the same thing under the 5G button.


As you can see, the Calix GigaCenter UI is very easy to use, and pleasing to the eye. Configuration of WiFi is extremely simple, not to mention its super dooper range! 🙂 We are happy with these devices, and we believe customers are too. Like always if you have questions regarding me, my poor humor or how I became such an awesome person, email me at But if you are a customer in need of help with WiFi, SandyNet or the City of Sandy contact them, not me at: or call 503-668-2923, and you might get me on the line!

Getac 4G Card Woes

Getac 4G Card Woes

We have had our Getac F110’s in production for about five months, and while we have not had issues with speed of the computer, we have had numerous reported issues of cell signal dropping and not being able to connect unless the tablet was rebooted. Often saying no device detected, or searching… Now, we are using Windows7, and when I first imaged them, they featured the Sierra AirCard watcher utility.


In September of 2014, Getac released SkyLight, which replaced the AirCard watcher, and did exactly the same thing. It even looked the same. This however, did not resolve our issue. On top of that, it made it harder for us to deploy new Getac’s, since it didn’t seem to activate newly install SIM cards. Well I am here to say that after a lot of frustration, I have found out why, and made it really easy to remedy.

On October 29th, 2014, Getac released a Jpeg called 4G module driver with the description – How to check 4G module Firmware. The image has been uploaded below.

WWAN check FW (1)


Note: When we imaged our machines we took all of the drivers from the Windows 7 driver disk that shipped with each Getac and push them onto the image. Most of our current devices were using factory drivers. At the time of imaging them, this was all that was available. Our cards were running firmware version I didn’t see the problem, because when I first imaged the devices, I had no idea how to check the firmware, since there was only one package at the time. On top of that, we have since downloaded, and re-installed the newer driver to the devices. Note: Our Getacs are using the EM7355 cards.

Well after a lot of frustration, I found out what was going on. Even upon installing the newer driver, the firmware was still not updating. I would download and install the, and the firmware on Skylight would still show Now, OK, Getac did document this… well sorta. On the download link, you will see the message (only for 4G module firmware version for Skylight. See below:



Ok, well now the firmware on my device still shows, and I need How do I do that? I have downloaded it, and installed it, and it is not upgrading the card firmware. While Skylight does still operate while using card firmware, it does not work well… Here is how I found out how to upgrade the firmware.

Now, this may be an easier way to upgrade the firmware, but this is the only way I have figured it out so far. That is to remove the device and driver from the system and install the latest driver. Now, it is finals week, and it is late, and I should be studying, but I am writing this instead, because I would rather do this, instead of re-watching 30 minute lectures on binary search trees. I do not have access to a Getac right now, so I can’t get any screenshots. I will just have to explain it in words.

First off, pop open control panel and remove any software associated with Sierra Wireless. For us it was the driver and Skylight. Once removed, I went to Control Panel > Administrative Tools > Computer Management > Device Manger. From there, expand the network devices and find the 4G card (ie: Sierra crappy 4G card thingy) and select uninstall. MAKE SURE TO CHECK THE BOX AND REMOVE THE DRIVER TOO. This will ensure that we get the files for out of the system.

Edit: Turns out you only need to install the new package over the existing one, then upgrade it by going into Skylight and selecting your carrier, and it should auto upgrade the firmware. When you install the package, you get nothing. It installs the new drivers, but the firmware is not yet upgraded. Proceed by going into Skylight settings, and firmware tab and select a carrier. The firmware upgrade should start. If you already have your carrier selected, then you will need to select another carrier, upgrade it, and then select the new one again. Stupid way to do it, but it works.

Spoiler: I am going to jump ahead here. We got the card firmware upgraded, to and it still had the same message. Searching…. The only other idea I had was to upgrade the Getac Utility that was recently upgraded, in some magical attempt that it would do something. Well it did. Once it was updated, the 4G card connected right up to Verizon, and has been happy ever since. We have also only replicated this on machine so far, since we found the issue out when I was off at College. During my winter break, I will be updating the remaining officers Getac’s to see if makes a difference. Fixing issues or not, this post is about upgrading firmware, so yeah.

Now, it is time to upgrade the Getac Utility. Download the latest one from Getac’s site:



Install it, and proceed to install the firmware from Getac’s site:



Once the firmware is installed and complete, install Skylight.

And once that is done, make sure your configurations in Skylight are correct.

We use Verizon, so that is our carrier we have selected. Just for giggles, select it again from the drop down menu, even if it was already selected, and see if it changes the firmware again. You should already be up to date, but if not give that a shot.

Also, we have our profiles connect automatically on startup, and connect even when roaming. That is just our priority as a police department.

That should be pretty much it. Make sure you reboot also to test it. I haven’t had much time to play with the new Getac Utility, but it offers some cool options for passthrough while docked, and more fine tuned options.

ALSO! I just remembered, under the ECO tab in the utility, we have started selecting the WWAN to be set to on. By default it is off, but the card still works. We don’t know what it does, but it can’t hurt right?

Thanks for reading, and like always, if you have any questions or comments regarding this post, please email me at

Finding the proper profile solution

Finding the proper profile solution

When working in a Windows and Citrix environment, things can get a little complicated. It’s not super complicated, but just enough when a simple setting change makes all the difference in when a profile is copied locally or to a remote location. Allow me to explain using my history of profiles.

Up until virtual desktops were deployed at work, all profiles were local. Anyone who logged onto another machine, had no files, and no appdata. This was perfectly fine since we had the idea that each person pretty much had their own computer. Well, introduce XenDesktop 5, with no PvD and randomly pooled desktops. In this case, you must enable folder redirection or use Citrix Profile Manager. After some issues, we went with folder redirection via GPO. This worked fine for the most part, except everything was redirected. EVERYTHING. This caused conflicts with appdata and link folders when applications installed stuff to them. Now after this had been in place for a year or so, I come into the picture and decided to rebuild the virtual environment from the ground up. New folder redirection scheme, new file server, etc. I introduced folder redirection as well. Only I redirected only part of the profile

  • Desktop (Because local government employees like sticking large files on the desktop instead of an organized folder)
  • Documents
    • Pictures
    • Music
    • Videos
  • Contacts
  • Favorites

That was it. The reasoning behind no redirecting appdata was simple. We are small enough, we do not need to do this, and it can and will conflict with other computers down the road. It is nice because a lot of data transfers nicely, but has the potential to be disastrous.

Anyone who has configured folder redirection knows that is user based. I knew that when I first set it up, and it caused me some grief. Our AD environment was setup to be organized as best as possible. Servers, physical machines, virtual machines, and employees all got their own OU’s that allowed me to assign proper policies on a very detailed level. The employee structure when something along the lines of building->department->user sections. Since our structure as a city was set up based on buildings. we don’t have accountants in the police department and public works. They are in one location, which makes our structure very easy to set up. So under each department(if configured with virtual desktops) was a OU for folder redirection. This effectively split up our users. No problem really, they are already organized under their department OU. The problem is when a user with folder redirection logs onto another computer. For the most part, their profile is directed just fine, and it works. In cases with laptops, and computers with slow connections, such as VPN’s, it makes management a nightmare. So I went ahead and tried to find a solution, which involved pulling a WMI request for if the computer was a server (for worker servers) or a laptop. If it was, overwrite their policy for redirected profile and assign a local one. This pretty much double the login time. We kept this policy in place for a number of months until recently I have been getting fed up with some weird issue that kept copying my redirected profile to a local one, and removing it from the server. I finally began to research other options.

Well I found something that works perfectly for our company. Folder redirection based on computers. Now, before you ask yourself, isn’t this what he did before? Well… it kind of is, but this one is a lot better. I’ll explain.

Using the power of GPO loopback, I can assign user options to anyone who logs onto a computer. Can you see where I am going from here? Basically, if any user logs onto a computer that has folder redirection enabled (App servers and virtual desktops) then give them a redirected profile. While this does now make two profiles in some cases, it is way easier to manage than hunting down a lost profile that has been copied to a local machine. In addition, over time, desktops may have folder redirection enabled by default. This will allow for even better integration. But for the time being, it allows me to have tight control on which machines can get redirection and which ones cannot. obviously Windows tablets and laptops need local profiles (because I do not like offline files) and simply need to be in an OU that does not allow folder redirection. What makes it better is when John Doe wants to use Suzanne’s laptop, he won’t get redirected either.

All in all, this choice has helped me un-clutter my AD environment and improve login times. It gives me a better degree of control on when profiles are redirected and when they are not. While this solution is not for everyone, it works for me, and I think we will continue to use it.