I’m kicking off a new series on the site on tips when putting together a VDI environment. What many admins and architects forget is some of the things we need when building a larger VDI environment. Here are some of my most common best practices when building one of these environments. These are specifically around existing infrastructure and I have run into issues with all of these points at customer sites.
- Active Directory Sites – Many customers create a new network subnet in their environment for a new VDI deployment. Make sure that you if you create a new subnet for VDI that you add it to Sites and services so AD knows where to authenticate the VDI users. (I once had a customer whose desktops were authenticating to their DC in their DR site. – not the best use of WAN traffic.)
- DHCP – This one has been very frequent lately. You have to remember that VDI can be very fluid, especially if you are using floating desktops with refresh on logoff (my personal favorite.) Because of this fluidity, you have to make special considerations with DHCP. If you are not careful, a recompose of a large pool of desktops can deplete your available IP addresses in your DHCP pool. You should set your DHCP lease to 1 hour for all of the subnets where VDI desktops will reside. You should also set a script to run, either on shutdown via group policy or by the View agent by configuring the power-off script in the quickprep settings. For details, take a look at “The Resolution” section in the blog article here. This script approach will release the IP addresses when the desktops refresh and then renew them when the desktop restarts. The issue comes when an admin has to delete some desktops. In this case the scripts do not run to release the IP addresses, however, your shortened lease time will pick up those IP addresses in an hour.
- DNS – make sure that your forward and reverse zones are working well. You should have dynamic updates enabled so that you can have the desktops register with DNS correctly. I have had customers try to use DHCP to update DNS but this always seemed to run into some kind of issue so I typically try to deter customers from using that approach.
- DNS #2 – Also when using an internal and external facing environment, make sure to set the proper DNS records and their resolution to the correct internal/external brokers for users who may be logging in form both scenarios.
- Read-only DC’s – If you are using read-only dc’s in your Active Directory environment, you may want to have a look at this MS KB article. I ran into a few issues with a customer running XP and building their base image, we forgot this and they could not authenticate. If you run Read-only DC’s, make sure to fully read the article.
- OU Creation – Make sure when you create a new Organizational Unit in AD that you DO NOT select “Protect container from accidental deletion”. If you are running XP desktops this setting will prevent them from joining the domain correctly.
- Firewall ports – make sure the correct ports are open for the security servers and the brokers. This article is a great reference to make sure you have opened what you need.
- Group policy loopback processing – You’ll definitely want to have a look thru this MS KB article. Group policies apply to users or machines. When you use loopback mode, it allows you to set a policy that has a user policy that only applies to those machines. So say you wanted to have all users of VDI desktops to have the same wallpaper, but you wanted them to have their regular wallpaper if they log into their regular desktop. That’s when you would use loopback mode.
These are some of the issues I’ve run into as of late. Feel free to post any others in the comments. Next design tips will be: Network.