How to HA Citrix PVS TFTP services via NetScaler 10.1 using RNAT

I was recently working on a project to migrate a pair of NetScalers from FW 9.3 to a new set of MPX appliances running 10.1: Build

I was very pleased to know that Citrix deployed a native way to load balance TFTP traffic via NetScaler 10.1, primarely to HA PVS TFTP traffic.  You can read on how to do this on this post by Adam Gamble.

Be cautious! Citrix confirmed this is an issue on 10.1, however it has been fixed in version 10.1 build 123.x or later. Their suggestion is to  upgrade it to the latest 10.1 version(build 128.8) (Did not test with 10.5 yet).  This occurs due to the Packet Process Engine crash when TFTP traffic is triggered through the Netscaler, which will cause your NetScaler to reboot, and in some cases corrupt the NetScaler config file  (ns.conf)

Below is a way to get the darn TFTP process to work via UDP load balancing using an RNAT and utilizing USIP mode


  • MPX 8200 NetScaler 10.1: Build


In my case I created a new subnet for this.  Reason is because as you may already know, the source IP of traffic is usually your SNIP, however when using an RNAT you will see Source IP coming from the configured RNAT IP and not the SNIP.  So this is up to you.  Where I work now SourceIP is a big deal.

For this example lets use a random Subnet

1. Create new NetScaler SNIP for the new Subnet under NetScaler> System > Network > IPV4s

Then create your VIP that you will use for your DHCP Option 066 reservation.




2. Let create a new VLAN 999 (your VLAN TAG) for the subnet (Yes you can shrink the subnet size, just using this as an example :))  and in my case TAG the interface 1/1 to save some ports.  You can do this under NetScaler> System > Network > VLAN (Interface 1/1 is set up with full Trunk)


3. To be safe I like to ensure a new DIRECT route is created for the new Subnet to utilize the new SNIP.  This is under  NetScaler> System > Network > Routes > Basic

In this case, it would be Network: Netmask Gateway (Your SNIP):



4. Create RNAT under NetScaler> System > Network > Routes > RNAT

set ns rnat <Host/ Subnet IP> <Host/Subnet Mask> -natip <VIP IP>

In this case Network: Netmask: NatIP (Your VIP that will load balance that TFTP process)




5. Ok the hard part is done.  Lets now create TFTP Servers under NetScaler > Traffic Management > Load Balancing > Servers

TFTP01 =

TFTP02 =

TFTP Servers

6. Create your Service Groups under NetScaler > Traffic Management > Load Balancing > Service Groups. Under Advanced ensure “User Proxy Port” is set to “No” and “USIP” mode is set.  If this is not set, your TFTP traffic will not function

TFTP Service Group



7. Create VIP ( under NetScaler > Traffic Management > Load Balancing > Virtual Servers

Bind Service Group previously created

TFTP Service bind




8. Ok no more NetScaler work, since we are using “Use Source IP” we need to set the default gateway on the TFTP servers (TFTP01/02) to be set to the NetScaler SNIP

9. Lastly change your DHCP scope to include the Boot Server Host Name under option 066 to your VIP

Your are all set, now to update to 10.5 I guess 😛







PVS Gold image WMI issues fix

As part of a PVS image issue discovery project, I was able to determine that WMI was not working on several gold images which was causing several memory leaks, as well as event viewer complaining just about every 30 seconds.

Problems escalated whenXenApp hosts would completely run our of virtual memory which would end up affecting the overall user experience.


  • Windows 2003 SP3
  • Citrix XenApp 5.0
  • PVS 6.1.16


WMI not working on several Golden images.  My guess is this image was copied in a broken state and was replicated to many different images.


Run the following in command line

  • Regsvr32 %SystemRoot%\System32\wbem\wmidcprv.dll
  • cd /d %windir%\system32\wbem
  • for %i in (*.dll) do RegSvr32 -s %i
  • for %i in (*.exe) do %i /RegServer

The Windows Management Instrumentation Tester window may appear, this is normal and we can go ahead to close it.

If it does not work, I also suggest you run the following commands to repair WMI namespace:

  • net stop winmgmt
  • wmic /NAMESPACE:\\root path “’wmi'” delete
  • mofcomp %windir%\system32\wbem\wmi.mof
  • net start winmgmt

Restart the computer to check the result. If the issue persists, try the following steps:

  • winmgmt /verifyrepository
  • winmgmt /salvagerepository

PVS Gold image Admin shares fix

I was recently working on some PVS image issues where the Admin shares stopped working.  If that does not ring a bell, you access them like \\hostname\c$.

This was crucial for us for several reasons including utilizing AV scans as well as monitoring solutions such as ControlUP which is a great utility for monitoring your XenApp infrastructure.  You can read more about it by following this link.


  • Windows 2008 R2/Windows 2003 SP3
  • Citrix XenApp 6.5/5.0 & Citrix XenDesktop 5.6
  • Windows 2003/2008/Win 7


Windows Admin shares will stop working when the image was set to read only mode.


  • Open the registry editor on the machine you cannot connect to by clicking on Start, Run
  • Type REGEDIT and press Enter, then go to the key below


  • In the right-hand portion of the Registry Editor look for a key called IRPStackSize
  • If the key exists, double-click on it and increase the decimal value to 15 and click OK.
  • Close the Registry Editor, reboot the computer and try to connect to the network share. If you are still unable to connect follow the above steps again and increase the decimal number for IRPStackSize by 5 and try again.

Continue to do this until the stack size is large enough to permit access. Personally, I had to increase the number to 25 before I could connect. The decimal range for the parameter is between 11 and 50.

  • If the IRPStackSize key DOES NOT exist in the right-hand column of the registry editor, then click on right-click in the blank area in the right-hand column and choose New
  • Then Click on D-Word under the Key column
  • In the Name of the new key, type the name IRPStackSize and press Enter. Type the name with the correct capitalization as shown above.
  • Now double-click on the IRPStackSize key and type 15 in the value data box and place a dot next to Decimal then click Ok.
  • Close the registry editor and reboot the computer. Try to access the network share again. If the same error appears follow the steps above to increase the value and reboot again. Continue this procedure until the problem is resolved. The decimal range for the parameter is between 11 and 50.

Citrix Provisioning Services DB Offline support


With the introduction of Citrix Provisioning Services 5.6 and 6.x, there is a feature that is sometimes overlooked which will allow your Provisioned hosts to remain up in the event that the SQL database is down.


  • Windows 2008 R2
  • XenApp 6.5
  • XenDesktop 5.6
  • UPM 4.1
  • PVS 6.1


  • The PVS Stream service is down due to unavailability of the PVS SQL database causing ALL streamed servers to stop responding and bringing all your XenApp/XenDesktop hosts down
  • This issue also occurs in a highly available environment (2 provisioning servers or more).

Now lets remember that one of the responsibilities of the PVS Stream service is to communicate between the provisioning servers and the SQL Database, when the SQL database is down, and offline support is not enabled, the Stream service cannot function properly.

When this service is down, all Streamed servers/desktops stops functioning.


Enable the DB Offline Support feature in the Provisioning Services Farm

  • Using the Provisioning Services console, connect to your Provisioning Services farm. Right-click the farm and select Properties.


  • Select the Options tab, and select DB Offline.

  • Click OK and you are prompted to restart your Stream services on each server for the setting to take effect.


Provisioning Services antivirus exclusions

Citrix wrote an excellent article about the PVS Antivirus exclusions and thought I will share it with you.  In my experience with PVS, this is very crucial step as it will ensure you don’t interrupt the streaming process and/or slow things down.

If you are like me and decide to run the TFTP boot process on separate servers, you can create TFTP HA utilizing the NetScalers, if you decide to go this route which I recommend, you will need to exclude the TFTP directory on the separate TFTP hosts.  You can read about how to HA the PVS  TFTP boot process via the NetScalers from a previous post I wrote, which let me tell you it was no easy task.

To read the entire Citrix article about the Antivirus exclusions, click here.

A few recommended Server Side file exclusions.

C:\Windows\System32\drivers\CVhdBusP6.sys => (PVS 6.1)
C:\Windows\System32\drivers\CVhdBus2.sys => (PVS 5.6)
C:\Windows\System32\drivers\CFsDep2.sys => (PVS 5.6 and PVS 6.1)
C:\Program Files\Citrix\Provisioning Services\BNTFTP.EXE => (PVS 5.6 and PVS 6.1)
C:\ProgramData\Citrix\Provisioning Services\Tftpboot\ARDBP32.BIN => (PVS 5.6 and PVS 6.1)
D:\Store => ( i.e. local vdisk store)

A few recommended Server Side processes to be excluded.
C:\Program Files\Citrix\Provisioning Services\StreamService.exe => (All versions)
C:\Program Files\Citrix\Provisioning Services\StreamProcess.exe => (All versions)
C:\Program Files\Citrix\Provisioning Services\soapserver.exe => (All versions)

A few recommended Target Device exclusions.
C:\Windows\System32\drivers\bnistack.sys => (Only targets, Win2003/XP)
C:\Windows\System32\drivers\bnistack6.sys => (Only targets, 2008/Win7)
C:\Windows\System32\drivers\BNNF.sys => (Only targets)
C:\Windows\System32\drivers\BNNS.sys => (Only targets, Win2003/XP)
C:\Windows\System32\drivers\BNNS6.sys => (Doesn’t exist anymore with PVS6.1 Agent)
C:\Windows\System32\drivers\BNPort.sys => (Only targets)
C:\Windows\System32\drivers\CFsDep2.sys => (Only targets, Win2003/XP)
C:\Windows\System32\drivers\CVhdBusP52.sys => (Only targets, Win2003/XP)
C:\Program Files\Citrix\Provisioning Services\BNDevice.exe => (Only targets, 2008/Win7)
C:\Program Files\Citrix\Provisioning Services\TargetOSOptimizer.exe => (Only targets, 2008/Win7)