| Now that we have prepared the network, installed and configured the data store, upgraded the Installer Service and remapped the drives, if required, we are ready to install MetaFrame XP Server with Feature Release 3. If you have decided to install FR3 on a Microsoft Windows 2000 Server then perform the following installation instructions.
The following defines how to create a new MetaFrame XP farm. If you will be using MSDE or Microsoft Access as the data store then the server will act as the host server. 1. Insert the MetaFrame XP for Windows, Feature Release 3 Server CD and click the Install or update MetaFrame XP Server button. 2. Click the MetaFrame XP Feature Release 3 button to launch the setup program. 3. Click Next to continue. 
4. Click the I accept the license agreement radio button and click Next to continue. 
5. You are now prompted to select the correct MetaFrame family member you have licenses. This is important you select the correct product family member that corresponds to the license number you will be entering in later or you might experience problems later. Click Next when finished. 
6. You are now prompted to select the product type for which you are licensed. Select the proper Product code and click Next. Note: This information will be found on the CD license label. For this example, I am installing a Retail version 
7. You are now prompted to select the components you will be installing. If you will be installing Installation Manager, I highly recommend removing the Packager component. Open the Installation Manager Key and right click on Packager and click X Entire feature will be unavailable. Note: If you would like to utilize the Program Neighborhood Agent ICA Client as the pass-through client then you will need to enable it for installation. 
8. Click Next when you are finished selecting components 
9. If you have selected to utilize the Program Neighborhood Agent as the pass-through client then you will be presented with the following screen asking you to enter the FQDN name of the Web Interface 2.1 web server. 
10. Click to select the Yes radio button to give the end-users the ability to utilize Pass-Through authentication. Click Next to continue. 
11. You are now prompted to create or join a server farm. Click the Create a new farm radio button and click Next. 
12. Enter a server farm name in the Farm Name text box and select what type of Data Store that will be used as documented in the MetaFrame XP Farm Design section of the Design Phase Deliverable. You also have the ability to select the Zone the new server will exist. For the first server in a farm I highly recommend using the default zone name. Click Next when finished. 
13. For this example, I have chosen a SQL Server as my Data Store so the next screen will prompt you to create the ODBC connection to the Data Store. Enter a description in the Description text box and select the SQL Server from the Server drop down list. When finished click Next. 
14. You are now prompted to select the authentication method. Click to select the With SQL Server authentication using a login ID and password entered by the user radio button. Enter the username and password that was entered in step 6 of the How to Create a MetaFrame XP Data Store with SQL Server 2000. Click the Client Configuration button. 
15. Verify the TCP/IP radio button is selected. If not, then click to select it and click OK. 
16. Verify the database created above is selected as the default database and click Next. If it is not already selected then click to check the Change the default database to checkbox and select the XP Data Store database and click Next. 
17. Click Finish 
18. Click the Test Data Source button. 
19. Verify it reads TESTS COMPLETED SUCCESSFULLY and click OK. 
20. You are now prompted to enter a user account to assign Farm Administrator access. I recommend accepting the default and adding / editing Farm Administrators later. As documented in the MetaFrame Delegated Administration section. Click Next when finished. 
21. You are now prompted to select how MetaFrame will deal with shadowing. Unless your customer requires disabling Shadowing support I recommend to accept the defaults and click Next to continue. Note: I recommend accepting the default and with the use of policies, you will be able to assign shadowing rights on a user and or group basis. 
22. Enter the TCP/IP port that the Citrix XML Service will listen on and Click Next. Note: The default is port 80 and unless you have a reason for doing so, I recommend that you stick with the default across all servers in the farm. 
23. If you will be running Web Interface 2.1 on the same server as MetaFrame and or neglected to remove IIS during install then Web Interface 2.1 will automatically be installed during setup. This screen asks whether you want your users to be able to browse to the root of your server (http://myserver) instead of requiring adding the path. This requires that you will not be presenting other data on this web server via browsing this URL. When finished click Next. 
24. Verify the farm and installation settings are correct and click Finish. 
25. Uncheck the View the Readme File checkbox and select the Launch the ICA Client Distribution wizard and click Close to continue 
26. The ICA Client Distribution wizard opens. Click Next to continue. 
27. Click Next 
28. You are now prompted to select the ICA client ICA installation type. Click the Typical radio button and then click Next. 
29. Click Finish. 
30. Reinsert the Citrix MetaFrame XP Feature Release 3 Server CD and click OK. 31. Click Yes to restart the server and complete the installation of MetaFrame XP with Feature Release 3 
The following details how to upgrade the MetaFrame XP server, hosting the Microsoft Access data store to MetaFrame XP with Feature Release 3. 1. As a best practice, I recommend you disable any virus software that might be running. 2. After release of MetaFrame XP with Feature Release 3, Citrix found a few issues with upgrading from Feature Release 2 and re-released the Feature Release 3 code for those who are doing such upgrades. To prevent from experiencing any of the issues please download the updated FR3 code from CTX434343 - http://support.citrix.com/article/CTX434343. 3. Once downloaded, please extract the installation files to a directory on your choosing and double click on Autorun.exe. 
4. Inset the Citrix MetaFrame XP with Feature Release 3 CD, the Citrix MetaFrame XP with Windows Feature Release 3 splash screen will appear. Click the Install or update MetaFrame XP Server button. 
5. Click the MetaFrame XP Feature Release 3 button. 
6. Click Next to continue. 
7. Click the I accept the license agreement radio button and click Next to continue. 
8. Click Yes to current with the upgrade of the current MetaFrame XP Server. 
9. With the release of Feature Release 3, Citrix has added the ability to restore to a previous version of MetaFrame XP. This can take a slew of disk space but with the size of drives we have today I highly recommend allowing setup to perform the backup. It might come in handy later. Click Finish. 
10. Click the Launch the ICA Client Distribution wizard checkbox in order to upgrade the ICA Client update database to the 7.00 version. Insert the MetaFrame XP Components CD and click Close. 
11. Click Next to continue to load the latest ICA Clients. 
12. Click to select the Install from CD-ROM radio button 
13. Click the Typical radio button and click Next to continue. 
14. Click Finish to continue. 
15. Click Yes to restart the server and complete the installation of MetaFrame XP for Windows, Feature Release 3. 
You have now successfully upgraded to MetaFrame with Feature Release 3. You will want to perform simple login tests to verify everything is working properly. I would also check the Windows Event Logs for any errors and take corrective action.
The following details how to add additional MetaFrame XP servers to an existing Farm. 1. Insert the MetaFrame XP for Windows, Feature Release 3 Server CD and when the following screen pops up click the Install or update MetaFrame button. 2. Click the MetaFrame XP Feature Release 3 button to launch the setup program. 3. Click Next to continue. 
4. Click the I accept the license agreement radio button and click Next to continue. 
5. You are now prompted to select the MetaFrame family member you have the correct license for. This is important you select the correct product family member that corresponds to the license number you will be entering in late or you might experience problems later. Click Next when finished. 
6. You are now prompted to select the product type for which you are licensed. Select the proper Product code and click Next. Note: This information will be found on the CD license label. For this example, I am installing MetaFrame XPe. 
7. You are now prompted to select the components you will be installing. If you will be installing Installation Manager, I highly recommend removing the Packager component. Open the Installation Manager Key and right click on Packager and click X Entire feature will be unavailable. Click Next when you are finished selecting components 
8. Click to select the Yes radio button to give the end-user the ability for Pass-Through Authentication. Click Next to continue. 
9. You are now prompted to create or join a server farm. Click the Join an existing farm and click Next. 
10. Select the type of Data Store that the farm you want to join is using and select the zone you will be joining. If you will be connecting to a Microsoft SQL Server then click Connect Directly to the database using ODBC. 
11. If you will be connecting to a Microsoft Access or Microsoft SQL Server Desktop Engine (MSDE) data store then click to select the Connect to a database on this MetaFrame XP server radio button and enter the name of the MetaFrame XP server hosting the data store. 
Click Next when finished. 12. If you choose SQL Server as the Data Store then the next screen will prompt you to create the ODBC connection to the Data Store. Enter a description in the Description text box and select the SQL Server from the Server drop down list. When finished click Next. 13. You are now prompted to select the authentication method. Click to select the With SQL Server authentication using a login ID and password entered by the user radio button. Enter the username and password that was entered in step 6 of the How to Create a MetaFrame XP Data Store with SQL Server 2000. Click the Client Configuration button. 14. Verify the TCP/IP radio button is selected. If not then click to select it and click OK. 15. Verify the database created above is selected as the default database and click Next. If it is not already selected then click to check the Change the default database to checkbox and select the XP Data Store database and click Next. 16. Click Finish 17. Click the Test Data Source button. 18. Verify it reads TESTS COMPLETED SUCCESSFULLY and click OK.
19. You are now prompted to select how MetaFrame will deal with shadowing. Unless your customer requires disabling Shadowing support I recommend to accept the defaults and click Next to continue. 
20. Enter the TCP/IP port that the Citrix XML Service will listen on and Click Next. The default is port 80 and unless you have a reason for doing so, I recommend that you stick with the default across all servers in the farm. 
21. If you will be running Web Interface on the same server as MetaFrame and or forgot to remove IIS during install of Windows 2000 Server then Web Interface 2.1 will automatically be installed during setup. This screen asks if you would like your users to be able to browse to the root of your server (http://myserver) instead of being required to add the full path (http://myserver/citrix/metaframexp) Use this is the web server is not being used in any other faction. Click Next to continue. 22. Verify the farm and installation settings are correct and click Finish. 23. Click Close to continue. We will add this server to the central ICA Client database later. 24. Click Yes to reboot the server. You have now successfully added an additional MetaFrame XP Server to the farm. Repeat the above steps until all implementation phase servers are installed. Note: The first time any additional MetaFrame XP Servers are added to a farm it could take a few minutes to log in. This only occurs on the first reboot.
The following defines how to modify the installed MetaFrame XP Components.
1. Click Start click Settings click Control Panel Click Add/Remove Programs you are now prompted with a list all the applications installed on the MetaFrame XP Server, select Citrix MetaFrame XP for Windows, Feature Release 3 and click the Change button. 
2. Click the Modify radio button and click Next. 
3. Click Next when you are finished selecting components. I recommend that you NEVER install the Installation Manager Packager component on a MetaFrame application server in production. This component is meant for a dedicated server. 
4. Verify the selection and click Finish to complete the changes. 
You have now successfully added/removed components of MetaFrame XP with Feature Release 3.
The following procedures are just a starting point, you might need to add or remove some of the following procedures. For a detailed list, please check out Rick Dehlingers MetaFrame Installation & Tuning Tips document and Ricks new tuning tips web site: http://www.tweakcitrix.com. It is the bible of MetaFrame tips and tricks. Note: The registry entries listed below have been scripted in to .REG files for your convenience. If you received this document independently from the other material (doc templates, REG file zip) then you will need to download the latest version of this doc and all the registry files discussed below from http://www.dabcc.com/miab. In addition, most changes seen below are also configurable via the MIAB.ADM file as documented in the How to deploy MIAB.ADM section of this document and or with the Registry Checker utility documented in the How to Use the Registry Checker to Tune and Report Registry Values section of this document. | Step | Description | | 1. | Remove / disable RDP-TCP Connection in Citrix Connection Configuration Utility - Start Programs Citrix MetaFrameXP Citrix Connection Configuration Highlight rdp-tcp and press the delete key to delete the RDP connection
Or (the recommended way) - Start Programs Citrix MetaFrameXP Citrix Connection Configuration Double click RDP-TCP connection uncheck the Unlimited checkbox and enter 1 in the Maximum Connection Count text box Click OK to finish
| | 2. | Enable Auditing in Local Security Policy - Start Settings Control Panel Administrative Tools Local Security Policy applet Local Policies Audit Policies folder Select the Success/Failure events you want to audit.
- Account Logon Events: Success and Failure
- Audit Logon Events: Success and Failure
- Audit System Events: Failure
| | 3. | Clear the last persons name that logged into the server farm, from the username field of the Microsoft Client. [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/policies/system] DontDisplayLastUserName=1 | Registry File: DontDisplayLastUserName.reg | | |
| | 4. | If you will not be using server side audio redirection then you will want to disable Client Audio Mapping [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp] "fDisableCam"=dword:00000001 | Registry File: disable client audio mapping.reg | | |
|
| Step | Description | | 5. | Disable Dr Watson [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug] "Debugger"="" | Registry File: Disable Dr Watson.reg | | |
| | 6. | Disable Roaming Profile Cache [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "DeleteRoamingCache"=dword:00000001 | Registry File: Disable Roaming Profile Cache.reg | | |
| | 7. | Set TcpMaxDataRetransmissions [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "TcpMaxDataRetransmissions"=dword:0000000a | Registry File: Increase Performance and Reliability over WAN links and the Internet.reg | | |
| | 8. | Enable ErrorMode [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows] "ErrorMode"=dword:00000002 | Registry File: Set ErrorMode.reg | | |
| | 9. | Disable the printer beep. Disable it to reduce bandwidth/increase performance. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\] "BeepEnabled"=dword:00000000 | Registry File: Disable Printer Beep.reg | | |
| | 10. | Set Event Log to overwrite entries as needed with a log size of 2MBs [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application] "MaxSize"=dword:00200000 : "Retention"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security] "MaxSize"=dword:00200000 : "Retention"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System] "MaxSize"=dword:00200000 : "Retention"=dword:00000000 | Registry File: Set Event Log Parameters.reg | | |
|
| Step | Description | | 11. | Set User ICA-TCP Overrides [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp\UserOverride\Control Panel\Desktop] "AutoEndTasks"="1" "MenuShowDelay"="10" "CursorBlinkRate"="-1" "DragFullWindows"="0" "WaitToKillAppTimeout" = "20000" "SmoothScroll" = dword:00000000 "Wallpaper" = "(none)" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp\UserOverride\Control Panel\Desktop\WindowMetrics] MinAnimate"="0" | Registry File: Set WinStation Overrides.reg | | |
| | 12. | Disable print events from the Event Log [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers] "EventLog"=dword:00000000 | Registry File: Disable Logging of Print Events to the System Event Log.reg | | |
| | 13. | Disable Spooler errors from being displayed on the server console [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler] "ErrorControl"=dword:00000002 | Registry File: Surpress Spooler Error Messages.reg | | |
| | 14. | Disable print spooler notification dialog screen from being displayed on the server console [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers] "NetPopup"=dword:00000000 | Registry File: Turn off NetPopup.reg | | |
| | 15. | Disable the Alerter Service in the Services Applet. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter] "Start"=dword:00000004 | Registry File: Disable Alerter Service.reg | | |
| | 16. | Set IgnoreLinkResolver entry to fix shortcuts resolving to UNC paths issue. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "LinkResolveIgnoreLinkInfo"=dword:00000001 | Registry File: Fix shortcuts resolving to UNC paths.reg | | |
| | 17. | Remove Outlook Express from the Quick Launch bar and Start Menu [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "Stubpath"="" | Registry File: Remove Outlook Express from the Quick Launch bar.reg | | |
| | Step | Description | | 18. | Changes the name of the My Computer icon to the logged on user and the machine name [HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}] @="My Computer" "InfoTip"="Displays the files and folders on your computer" "LocalizedString"=hex(2):25,00,55,00,53,00,45,00,52,00,4e,00,41,00,4d,00,45,00,\ 25,00,20,00,6f,00,6e,00,20,00,25,00,43,00,4f,00,4d,00,50,00,55,00,54,00,45,\ 00,52,00,4e,00,41,00,4d,00,45,00,25,00,00,00 | Registry File: Change My Computer text.reg | | |
| | 19. | Remove the Internet Connection Wizard. By default, the ICW will run for all users the first time they log into a server and get a profile. Delete the "^SetupICWDesktop" value from ["HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Runonce"] You can also modify the following registry entry: Add or Change Key: [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Connection Wizard] Completed=DWORD:0x1 | Registry File: Turn Off Internet Connection Wizard.reg | | |
| | 20. | Disable Media Sensing. By default Windows 2000 detects whether or not you have a cable plugged into the NIC. REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip\parameters] "DisableDHCPMediaSense"=dword:00000001 | Registry File: Disable Media Sensing.reg | | |
| | 21. | Disable OS/2 and POSIX subsystems. If you do not have a need for these, disabling them can free up an incremental amount of server resources. Be sure you arent using any OS2 or POSIX apps before proceeding however, since they wont run To disable these subsystems, remove the following keys under [HKLM\System\CurrentControlSet\Control\Session Manager\Subsystems] \OS2 \POSIX | | 22. | Stop extra/unnecessary processes from running in each session. Remove associated entries from [HKLM\Software\Microsoft\Windows\Current Version\Run] Examples: ICABAR.EXE (MetaFrame administrator toolbar) NWTRAY.EXE (Netware tray application) | | 23. | Fine-tune the SERVER Service - Start Settings Control Panel Network and Dial-Up Connections Local Area Network Properties File and Print Sharing for Microsoft Networks Maximize Throughput for Network Applications
| | 24. | Modify foreground thread timeslices. - Start Settings Control Panel System Advanced Tab Performance Options Set Application response to Background services
| | 25. | Set Print Spooler Directory to the disk with the most free space (preferably the second partition) - Start Settings Printers File Server Properties Advanced tab set the Spool folder to: d:\spool. (d: being the drive with the most free space)
| | Step | Description | | 26. | Install Internet Explorer 6.0 (if so desired) - From command line run: change user /install
- Install IE 6.0 trough Windows Update
- When IE is finished installing from command line run: change user /execute
| | 27. | Install any remaining critical updates by running Windows Update | | 28. | Remove any unwanted shortcut from: - C:\Documents and Settings\All Users\Start Menu\Programs
- C:\Documents and Settings\Default User\Start Menu\Programs
- C:\Documents and Settings\Default User.domain_name\Start Menu\Programs
| | 29. | Disable any network services not required. i.e., Alerter, Indexing Service, Remote Access Connection Manager, Telephony and Telnet just to name of few. | | 30. | Protect the registry from anonymous access The default permissions do not restrict remote access to the registry. Only administrators should have remote access to the registry, because the Windows 2000 registry editing tools support remote access by default. To restrict network access to the registry to administrator use only please visit Microsoft Knowledge Base article Q155363. | | 31. | Verify all Microsoft hotfixes are installed. The following tools assist with in task. Microsoft Hotfix checker: hfnetchk.exe Hfnetchk is a command line tool to assess patch status for computers that are running NT 4.0 TSE and or Windows 2000 as well as hotfixes for Internet Information Server 4.0 (IIS), Internet Information Services 5.0 (IIS), SQL Server 7.0, SQL Server 2000 (including Microsoft Data Engine [MSDE]), and Internet Explorer 5.01 or later. For more information please visit: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q303215 To download please visit: http://download.microsoft.com/download/win2000platform/Utility/3.3/NT45/EN-US/Nshc332.exe Microsoft Baseline Security Analyzer (MBSA) Microsoft has developed the MBSA version 1.0 that includes a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows 2000 and will scan for missing hotfixes and vulnerabilities in the following products: NT 4.0, Windows 2000, IIS 4.0 and 5.0, SQL Server 7.0 and 2000, IE 5.01 and later, and Office 2000 and 2002. When finished analyzing MBDA stores and displays detailed reports outlining recommendations on how to harden your server further. For more information please read the following MBSA white paper: http://www.microsoft.com/technet/security/tools/tools/mbsawp.asp A technical white paper on MBSA is also available for download at: http://download.microsoft.com/download/win2000platform/Install/1.0/NT5XP/EN-US/mbsasetup.msi |
| Step | Description | | 32. | Implement any Citrix Security Bulletins Citrix posts security bulletins to its knowledgebase. To search for security bulletins please visit http://support.citrix.com/latestsecurityall!execute.jspa and search for security bulletins. | | 33. | Set Windows 2000 time source Start Run cmd type: net time /setsntp:name_of_timeserver For more information on the Windows Time Service please visit the following links: How to Configure an Authoritative Time Server in Windows 2000 (Q216734) http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q216734 How to Synchronize the Time on a Windows 2000-Based Computer in a Windows NT 4.0 Domain (Q258059) http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q258059 How Machines Determine the Time Source Server Using NET TIME (Q156460) http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q156460 Note: There are also many third party utilities to synchronize system clocks. Configuring the Time Service to Log When the Time Is Changed (Q307937) http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q307937 | | 34. | Clean up any error messages in the Event Log | | 35. | It is imperative to install antivirus software and keep up-to-date on the latest virus signatures on all Internet and intranet systems. Also, be very careful when selecting antivirus software and make sure it is compatible with in a Terminal Services environment. | | 36. | Create the ERD Disk - Unless you run RDISK with a command line parameter, the only security info that makes it to the ERD is your initial Administrator user and password. Running it after modifications to the Administrative users updates the SAM info. Run RDISK /S after crippling Administrator. This updates the backup security hive, which is then put on the ERD. Since Win2K creates this as an unlocked copy, be careful to securely store your ERDs. |
Registry Changer (RC) will allow you to read areas of the registry, find the values, see what the recommended values should be, select the registry changes you want to make, and finally write those registry changes to a Visual Basic Script to be executed on the system. What makes this program stand out among the other is its ability to add and remove registry entries in the program without having to rewrite the application. The package includes 3 script files, the first is for server tuning Citrix servers (regfile.regdat). The second script will allow you to make modifications to the .default user in the registry (default_user.regdat). This will allow new users to have predefined settings to their Citrix environment. The third script is the same as the second, but it makes modifications to the HKey Current User setting in the registry (login_user.regdat). To use this script you would reference the resulting .vbs file in the USRLOGIN.CMD file to the VBscript. This is good for users who already have a profile created and will not see any changes made to the .default user. For more information and to download Registry Checker go to: http://www.dabcc.com/thinsol/downloads/Files/RegistryChanger1.0.zip 
You are now ready to proceed with imaging servers and installing applications. Important: I highly recommend rebooting the server prior to continuing.
|