This message was deleted.

For non persistent machines you can use Certificate auto enrolment (enabled via GPO and with autoenrollment /enroll perms set on Computer cert template) i can vividly remember using a scheduled task with a powershell script and the enable-vdassl powershell script. The CUGC article i have in my notes no longer works 😞

Thanks, John. I think they might be doing something similar.. the cert is requested a system startup after each planned/unplanned reboot. But all VDA request the cert from a CA... I think following a routine patch cycle the CA hung/crashed and want noticed until no one could login to Citrix.. trying to make that piece resilient.. most clients are secured behind a GW and its disabled I come across but this is for a back so everything has got to be dialled up to max security where available, ta

Do you have just a single SubCA online? I don't have this usecase but I use autoenrollment and with the templates deployed on 2 SubCAs either can be down and clients continute to enroll. We have them in different sites w/ different patch to split the failure domain and make it faux HA

they should have multiple suborbinate issuing CA's with the AIA/CDP extensions highly available. You can even use MS clustering for making Subordinate CA's highly available)

I think these guys have a single Sobordinate... I wasnnt sure if we add another how to manage the failover... ms clustering is a shout.. I wasn't sure if there was something built in or using Netsclaer of the like?

You could deploy another suborbinate CA you just would have to make sure you Deploy/publish the same templates

Nice one mate - it might just be that they only have a single subordinate running... nice there is no need to LB / cluster 🙂