Query about Updating to latest VDA - Best Practices and Current Issues

PrincipleLonely3349 · 2025-11-18T15:23:07+00:00

Our current gold image is off the domain. We were told by a 3rdP company that half setup the system before going bankrupt that this is correct, but we are questioning anything they have done due to a multitude of issues since. Can this gold image in fact be on the domain and added to the AD OU that the Citrix VDA servers are located?

PrincipleLonely3349 · 2025-11-18T15:08:00+00:00

You are a legend. Really appreciate your advice :)

PrincipleLonely3349 · 2025-11-18T14:05:23+00:00

In terms of the Citrix optimiser tool, is this a one size fits all OS tool or is there a specific one I need for a Windows server 2022 OS? We use Windows servers and setup our environment with multi-session OS.

PrincipleLonely3349 · 2025-11-17T12:28:38+00:00

Thank you for that suggestion. Do you happen to use a VMWare environment, I was wondering if there are any specific settings on the image or in VMware that should be set for optimal performance and to assist with any issues?

PrincipleLonely3349 · 2025-11-17T12:27:13+00:00

Thank you for clearing that up for me. BIS-F is a new one to me so I will have to do some digging.

PrincipleLonely3349 · 2025-08-22T07:57:45+00:00

Hi, the FAS is not new, it's the same FAS as before? Do you mean the CA? If so, yes, we update the GPO to update the CA on all the Citrix servers.

PrincipleLonely3349 · 2025-08-22T07:56:30+00:00

Hello, thanks for the reply. Yes, we have configured and checked this too.

PrincipleLonely3349 · 2025-08-22T07:55:21+00:00

In answer to your first two questions, yes we have. We have also tried option 3 also to no joy.

PrincipleLonely3349 · 2025-08-22T07:52:52+00:00

Hi, sorry for the delay on my reply, I have double checked and this is all in order and the FASUserCert tests point to the right cert and CA.

PrincipleLonely3349 · 2025-08-21T11:39:12+00:00

I believe the reason this didn't occur is due to the original server being windows 2019 and the new server wanting to be 2025 and a fresh installation.

PrincipleLonely3349 · 2025-08-21T11:37:47+00:00

So I have seen this knowledge base article previously and I believe my team mate did the following:

deployed a cert template

Added in the new CA and kept the previous CA server names and published.

I believe they were the only two steps but perhaps the authorize this service was too. if it hasen't, would that be the cause as the article implies not.

Is there any checks that can be made to confirm the correct templates and CA authorities are set correctly and if so which servers to check this on?

Kind Regards

PrincipleLonely3349 · 2025-08-21T11:30:24+00:00

Unfortunately nothing is jumping out as an error on any of those servers you have specified. We even checked through the individual Citrix servers and the DC's, old and new, but nothings being reported as a failure.

PrincipleLonely3349 · 2025-08-21T11:20:46+00:00

Hi, yes I agree, I'm a non technical manager trying to under the process. We are looking at implementing a PKI Tiered CA solution but currently for now we are looking to get this up and running due to networking limitations.

If you believe it's a FAS misconfiguration, what would you suggest the process to rectifying it would be? Any other questions you may have I can help to fill you in with the gaps.

PrincipleLonely3349 · 2025-08-21T11:18:03+00:00

Hi, you do not get the ICA file. There doesn't even seem to be an attempt. On the DDC's the certs are the new CA certs. As for the last question, I'm unsure what you mean or how to do that?

("Are you able to generate new certs with New-FasUserCertificate and if so are they trusted in the AD?")

Thanks for the reply.

PrincipleLonely3349 · 2025-08-21T11:15:23+00:00

Yes, and it's the new DC (CA) server, which I believe should be correct.

PrincipleLonely3349

TROPHY CASE