template based server validations and automated logon tests

Have had an issue where template based servers (rebuilt weekly) could go out of sync in ActiveDirectory, but shows normal/ok in RAS Console.

Last case instance today, where a host pool of 4 RDSH Terminalservers, all recreated from template sunday at 04:00, where a single host had trust relationship problems towards AD.
As Parallels Ras RDSH Agent was reporting all okay, the server was in full production and showing a big green OK, but would not log users on.
As this one server had a lot less users logged on, LoadBalancing would try to point every new session to this server.
Setting server in logon disabled state would let users log on, and recreating the host from template fixed the issue. Quick and simple.

My feature request is then to continously every "n hours" do authentication tests/logon tests and to set host in "failed" state/logon disable state if any reoccuring failures are heppening. Test could be done as simple as %server%\ipc$ or the whole RDSH protocol could be tested with a test login/logout.
Agent could parse the Eventlog for trust relationshop problems, authentication denied errors or similar.
Also, it would be great if the Parallels RAS RDSH Agent could monitor users login/session, and possibly redirect to other servers if login is failing to the first attempted server in the pool.
With multiple errors or with trust relationship problems detected, the single server could be automatically recreated from hostpool template.
As this is working per now, a failed server would render the whole host-pool in a "invisible" failure state if login errors occur du to the fact that no users are logged in to this server, and loadbalancing really want to even users out.

 

Hi RunarV,

I am an Outbound PM at Parallels. We do have tech partners such as ControlUp ScoutBees who are able to provide this kind of functionality today but I've logged this request for internal discussion to see what approach we may be able to take without negatively impacting other services.

 

I bump this thread, as we are having this issue running sometimes


As has been written from Parallels about Citrix PVS: https://www.parallels.com/blogs/ras...pHTYfObg6Vu9BLNDwsCSOQnP6PoCT7CTQTLb4dquyKo9j
Parallels RAS also suffer from computer account mismatch after a certain time.
Usually, Parallels RAS agent says all is okay, since the agent is up and can talk to Connection Broker.
However, underneath the cal ocean is a lot of Event logs messages that tells us that the machine is not in sync with Active Directory.

Usually we need to start up the Template machine that the Terminalserver is based on.
Find the LAPS password for this administrator, log on locally and run powershell commands to fix the issue.
Then we need to create a new version for this template and redeploy the worker RDSH host from this new template.

And note to Citrix PVS, here it is just a click from the PVS Console to remediate, quick and easy

It would be great if it was possible for Parallels RAS to be able to detect these issues, and fix them by issueing the following commands:

Detection:
Test-ComputerSecureChannel -verbose

Remediation:
Reset-ComputerMachinePassword -Server FD-SRV-ADC20 -Credential domainjoin_admin_serviceuser@domain.com



This also touches another small thing.
It would be great if Parallels Ras would support safe storage of a Active Directory Service Account.
Per now, it has to be deployd on every Template for AD Join/ RasPrep.
Adding a safe usage of service account would help us to store, and not nessecarily know the domain admin password, helping with overall opsec.