I do more work this week with a client XenDesktop 5 environment I mentioned in a previous post.
This week we examined why some active directory accounts showed that "Tainted" in Desktop Studio, and how we could solve this problem. I am able to reproduce it in the laboratory, so I can show you how to re-produce this scenario and how to fix it.
A little background information
The AD Identity service is responsible for XenDesktop 5 managing all active Directory accounts required for virtual machines. In particular, we will use this service greatly if we use Machine Creation Services to quickly create virtual machines.
There are a number of GUI and PowerShell commands that we can use to control the AD Identity Service. The complete reference PowerShell is here. There are however a few simple commands that can get familiar with the kind of information that is stored in the service:
Get-AcctIdentityPool
This displays a list of all pools identity in the AD identity Service
Get-AcctADAccount
This displays a list of all the AD accounts stored in AD identity Service
If I run these two commands againts my lab environment, I get the following output:
AcctIdentityPool identification pool settings that will be used for all AD accounts created in this pool. So we see a reference to the OU and also the naming scheme that will be used for all accounts created (properties "NamingScheme" and "NamingSchemeType").
AcctADAcount lists all Active Directory accounts that are "known" by the AD Identity service. If you have multiple pools identity then we can pass a parameter in the cmdlet Get-AcctADAccount to show only AD accounts in a specific pool. However, in our laboratory, we have a single pool.
So what is an account "Tainted"?
An Active Directory account will be marked as Tainted if the identity of AD Service loses synchronization between itself and Active Directory. There could be accidental ways that this can happen, and it will always happen if we delete a virtual machine from XenDesktop, but choose to leave the AD account in place. We can use it to reproduce the scenario in the laboratory that is useful to demonstrate the repair mechanism.
How do we account strength to become "Tainted"?
If we delete a virtual machine, but chose to leave intact the active directory account, the AD Identity Service will mark the account as "Tainted".
Select the virtual machine to remove (in this example VDI-001):
Then, for control options, we choose to remove the machine Virtual, but leave the AD account information in AD Identity Service
at this point, the virtual machine is deleted, and if we look at the accounts in AD Desktop studio, we can see the account has been marked as "Tainted"
We can also query this with PowerShell by running the following command:
Get-AcctADAccount -Etat Tainted
If we now ask Desktop studio to create a new virtual machine to replace the one we removed, it would not be created with the account SAMO2 VDI-001. For an account to be used by MCS, it must be marked as "Available" in the AD Identity Service. Our VDI001 account is not marked as available, so Desktop Studio would create a new account by following the rules of the pool identity. So in our lab environment the new account would SAMO2 VDI-006.
How can we liberate this account to reuse?
We may issue single PowerShell command to force AD Identity service for synchronization with Active Directory and therefore make this account available for use with a virtual machine. The command we use is:
Repair-AcctADAccount -ADAccountName SAMO2 VDI-001
This is the command used and the output showing that it has succeeded:
once the account has been released, so we can check account status via PowerShell like this:
Get-AcctADAccount -ADAccountSID account {AD} and we SID see the following information:
Note that the state property now shows available. If we check Desktop Studio, we see the following :.
If we create a virtual machine in this catalog the machine will be awarded on behalf AD available VDI001
How can we fix several Tainted accounts ?
The commands listed above will help you repair a single account of AD at a time. What if we have multiple accounts Tainted:
If we issue the following command through PowerShell we can repair all Tainted accounts:
Get-AcctADAccount -Etat Tainted | Repair-AcctADAccount
If we issue this command, we see the following output:
If we wanted to be more precise with this command, we used the - IdentityPoolName pass only repair accounts in a specific identity pool. For example:
Get-AcctADAccount -IdentityPoolName "London Lab -Etat Tainted | Repair-AcctADAccount
I hope you found this article useful Note that the method I showed to create a Tainted account is one that can be reproduced easily. There might be other ways that the account can be marked as Tainted I'm not aware of, although the recovery steps still need be identical.
0 Komentar