The MED-V Blog

The Microsoft Enterprise Desktop Virtualization blog.

Additional recommendations when using MED-V Workspaces configured for NAT Mode

Additional recommendations when using MED-V Workspaces configured for NAT Mode

  • Comments 2
  • Likes

SuccessFailureIn working with MED-V and supporting MED-V, I have found that there are three major areas that can be affected when using NAT mode instead of Bridged Mode with persistent mode MED-V workspaces.

- Application Icons not displaying properly (or being cached properly)
- Single-Sign-on (SSO) either does not work or has intermittent issues.
- Connections to domain resources fail

A lot of these issues can be avoided by doing some additional configuration changes to the underlying guest operating system to allow for these workspaces to behave better in a domain-joined setting.

Force Kerberos over TCP

Relying on UDP for authentication may cause issues with virtual machines running in Shared Network (NAT Mode.) For XP guest joined to Windows 2003 domains and later, you will alleviate many authentication-related issues by forcing Kerberos to use TCP instead of UDP. Use the registry setting originally outlined in KB article 244474.

- Registry key: HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
- Value name: MaxPacketSize
- Value type: DWORD
- Value Data: 1

ICMP and Group Policy Slow Link Detection

You will also want to get in front of any group policy processing issues with the guest operating system running in NAT Mode. With VPC 2007, There is an ICMP restriction for non-administrators. If this is an option for guest users, one recommendation would be to make the user a member of the local administrators group in the guest OS. If this is not desired, you will want to disable GPO slow link detection using the following registry modifications.

- Registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
- Value name: GroupPolicyMinTransferRate
- Value type: DWORD
- Value Data: 0

- Registry key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
- Value name: GroupPolicyMinTransferRate
- Value type: DWORD
- Value Data: 0

NOTE: All registry changes recommended here need to be implemented prior to image deployment if possible otherwise every active workspace will need to be touched.

How to Troubleshoot Network Connectivity in MED-V v1 Workspaces

On regular Windows hosts, a network monitor trace is often the best way to nail down what may be going wrong. Isolating issues with network communication and authentication for MED-V workspaces should be troubleshot in the same way.

When dealing with connectivity issues, it is best to take a trace from the server side (the shared resource, domain controller, etc.) and workspace (guest) side at the same time. The challenge for active workspaces is getting a network monitor utility into the active workspace. You can update the policy to publish out a custom menu, command prompt, or Windows explorer instance and then use the File Transfer Wizard to copy the Network Monitor bits into the workspace.

Getting a Network Monitor installation inside the Workspace

First, it is recommended to publish out a command prompt as it is simple and lightweight. This way you can use this to install the Network Monitor utility (without having to redeploy the entire image.)

You can download the most recent version of Netmon here:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f

image

You then can use the MED-V File Transfer Wizard to copy the Netmon installer package into the workspace. You can do this by going to the MED-V System Tray and selecting Tools – then File Transfer.

image

You can then open up your published command prompt or explorer and run the setup either interactively or non-interactively using the following command:

NetmonSetup.exe /Q

Once NetMon or whichever protocol analyzer you are using is installed, troubleshooting will be along the same lines as if you were troubleshooting the behavior of a regular workstation.

Steve Thomas | Senior Support Escalation Engineer

The App-V Team blog: http://blogs.technet.com/appv/
The WSUS Support Team blog: http://blogs.technet.com/sus/
The SCMDM Support Team blog: http://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
The OpsMgr Support Team blog: http://blogs.technet.com/operationsmgr/
The SCVMM Team blog: http://blogs.technet.com/scvmm/
The MED-V Team blog: http://blogs.technet.com/medv/
The DPM Team blog: http://blogs.technet.com/dpm/
The OOB Support Team blog: http://blogs.technet.com/oob/
The Opalis Team blog: http://blogs.technet.com/opalis

clip_image001 clip_image002

Comments
  • Hi JC.

    Is there a way to permanently change the registry value from Bridged to NAT on a machine where the workspace has been deployed ALREADY? If I change the registry value it defaults back to the original setting which was set to Bridged mode after the Windows 7 host is restarted. Can you only make this change to stay on NAT permanently during the creation of the workspace?

    Thank you

    Johan

  • HKLM\Software\Microsoft\Medv\v2\VM\NetworkingMode

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment