2V0-51.23 VMware Horizon 8.x Professional Questions and Answers

Windows golden image optimization is the process of reducing the size and improving the performance of the Windows OS image that is used as the base for the desktop pools. Some of the best practices for Windows golden image optimization are:

• Disable unnecessary services: Services that are not required for the desktop functionality or user experience should be disabled to reduce the resource consumption and potential security risks. For example, services such as Windows Search, Windows Defender, Windows Update, and Superfetch can be disabled for better performance and stability.
• Disable power options: Power options such as hibernation and sleep mode should be disabled to free up disk space and avoid potential issues with the desktop state. Hibernation can consume a large amount of disk space by creating a hiberfil.sys file that stores the system memory contents when the desktop is powered off. Sleep mode can cause problems with network connectivity and user sessions when the desktop is resumed from a low-power state.

Other best practices for Windows golden image optimization include:

• Activate Windows OS paging: Paging is a mechanism that allows the OS to use a portion of the disk as virtual memory when the physical memory is insufficient. Paging can improve the performance and stability of the desktops by preventing out-of-memory errors and reducing memory contention. However, paging can also increase disk I/O and wear, so it should be configured with caution and monitored regularly.
• Turn off automatic Windows maintenance (scheduled tasks): Automatic Windows maintenance is a feature that runs various tasks such as disk defragmentation, disk cleanup, security scanning, and system diagnostics in the background. These tasks can consume a lot of CPU, memory, and disk resources and interfere with the user experience and desktop performance. Therefore, it is recommended to turn off automatic Windows maintenance and run these tasks manually or on a scheduled basis when the desktops are not in use.
• Turn off automatic Windows Updates: Automatic Windows Updates is a feature that downloads and installs updates for the OS and other Microsoft products in the background. These updates can consume bandwidth, disk space, and CPU resources and cause compatibility issues with some applications or drivers. Therefore, it is recommended to turn off automatic Windows Updates and manage the updates manually or through a centralized tool such as VMware Update Manager or Microsoft WSUS. References: [Optimizing Your VMware Horizon View 7.x Golden Image] and [VMware Horizon 8.x Professional Course]

Horizon Connection Server instances keep their data in an AD LDS database, which is automatically synchronized between the Connection Server. AD LDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies that are required for Active Directory Domain Services (AD DS). AD LDS provides much of the same functionality as AD DS, but it does not require the deployment of domains or domain controllers. In a Horizon environment, each Connection Server instance has a copy of the AD LDS database and replicates changes to other Connection Server instances in the same pod. This ensures that the Connection Server instances have consistent and up-to-date information about the Horizon resources and user sessions12 References:

• Configuring Horizon Connection Server1
• Understanding VMware Horizon Services2

In VMware Horizon, to designate a Home Site for a user, you would use the "Cloud Pod Architecture" feature, which allows you to set home sites and manage global entitlements across multiple pods and sites in a Horizon environment.

In the exhibit's menu on the left, you should click on "Cloud Pod Architecture" to proceed with designating a Home Site for a user.

In a load balanced Horizon POD with three Connection Servers, there are 450 active Blast sessions connected. If one of these Connection Servers runs into an unplanned outage, only the active sessions from the failed Connection Server are disconnected, because HTTPS Secure Tunnel is disabled. This means that the other two Connection Servers can still handle the remaining sessions without interruption.

The HTTPS Secure Tunnel is a feature that allows Horizon Client devices to establish secure connections to virtual desktops and applications through the Connection Server. When this feature is enabled, all the display protocol traffic is tunneled through the Connection Server, which acts as a proxy between the client and the desktop. This increases the security and simplifies the network configuration, but also adds some overhead and dependency on the Connection Server availability1.

When this feature is disabled, the Horizon Client devices connect directly to the desktops using their IP addresses or hostnames, bypassing the Connection Server. This reduces the load and dependency on the Connection Server, but also requires more network configuration and firewall rules to allow direct access to the desktops2.

The Blast Secure Gateway is a similar feature that allows Horizon Client devices to establish secure connections to virtual desktops and applications using the Blast Extreme protocol through the Connection Server. When this feature is enabled, the Blast Extreme traffic is tunneled through the Connection Server, which acts as a gateway between the client and the desktop. When this feature is disabled, the Horizon Client devices connect directly to the desktops using Blast Extreme3.

In this scenario, both HTTPS Secure Tunnel and Blast Secure Gateway are disabled, which means that the Horizon Client devices connect directly to the desktops using Blast Extreme. Therefore, if one of the Connection Servers fails, only the sessions that were authenticated by that Connection Server are affected. The other sessions can continue without interruption, as long as they can reach their desktops directly4.

The other options are not correct for this scenario:

• All 450 active sessions are disconnected, and have to re-connect again by the end-user. This would be true if HTTPS Secure Tunnel or Blast Secure Gateway were enabled, and all the display protocol traffic was tunneled through the Connection Server. In that case, any failure of a Connection Server would disconnect all the sessions that were using it as a proxy5.
• All active sessions will stay connected, because HTTPS Secure Tunnel and Blast Secure Gateway are disabled. This would be true if there was no dependency on the Connection Server after authentication. However, even with HTTPS Secure Tunnel and Blast Secure Gateway disabled, there is still some communication between the Horizon Client and the Connection Server for session management and heartbeat monitoring. If a Connection Server fails, these communications are lost and the sessions are terminated.
• All 450 active session are logged off immediately. This would be true if there was a global setting in Horizon Console to log off users when a Connection Server fails. However, there is no such setting in Horizon Console. The default behavior is to disconnect users when a Connection Server fails, not log them off.

References:

• Configuring HTTPS Secure Tunnel
• Configuring Network Ports for Direct Connections
• Configuring Blast Secure Gateway
• Load Balancing Across Multiple Pods
• Horizon 7: Monitoring health of Horizon Connection Server using Load Balancer
• [Horizon 7 Pods]
• [Global Settings for Client Sessions in Horizon Console]
• [VMware Horizon Architecture Planning]

In VMware Horizon, predefined roles such as Inventory Administrators and Desktop Pool Administrators are designed to provide granular access control within the Horizon Console. Inventory Administrators typically have permissions related to managing the overall inventory of virtual desktops and applications, whereas Desktop Pool Administrators are specifically focused on managing and configuring desktop pools, including their settings, assignments, and provisioning.

The minimal level of Horizon Console access that the IT support center would need to help with Horizon desktop user issues is the Help Desk Administrators role. This role allows the IT support center to view and troubleshoot user sessions, reset user passwords, send messages to users, and perform other help desk tasks. The Help Desk Administrators role can be assigned to users or groups on any access group that contains the desktop pools or farms that the IT support center needs to support.

The other options are not the minimal level of Horizon Console access for this scenario:

• Local Administrators: This role allows full administration rights on a specific access group and its sub-access groups. This role can perform all the tasks of the Help Desk Administrators role, as well as create, edit, and delete desktop pools, farms, applications, entitlements, and other objects. This role is more than what the IT support center needs to help with user issues.
• Global Help Desk Administrators: This role allows full administration rights on all access groups in the Horizon environment. This role can perform all the tasks of the Local Administrators role, as well as create, edit, and delete access groups and global entitlements. This role is more than what the IT support center needs to help with user issues.
• Inventory Administrators: This role allows limited administration rights on a specific access group and its sub-access groups. This role can view and manage desktop pools, farms, applications, entitlements, and other objects, but cannot create or delete them. This role can also perform some help desk tasks, such as viewing user sessions and sending messages to users, but cannot reset user passwords or troubleshoot sessions. This role is not sufficient for what the IT support center needs to help with user issues.
• Administrators: This role allows full administration rights on all access groups in the Horizon environment, as well as global settings, licensing, roles and permissions, events configuration, and other system-wide settings. This role can perform all the tasks of the other roles, as well as configure and manage the Horizon infrastructure. This role is more than what the IT support center needs to help with user issues.

References: Understanding Permissions and Access Groups and [VMware Horizon 8.x Professional Course]

To entitle users and groups to pools, you need to perform the following steps:

• During pool creation in the entitlement pane, click on add, search for users and groups in the Active Directory, continue and finish the pool creation. This option allows you to entitle users and groups to a desktop or application pool at the same time as you create the pool3.
• Navigate to Inventory > Desktops > check mark a pool > click on Add Entitlement. This option allows you to add entitlements to an existing desktop or application pool after you create the pool4.
• Navigate to Users and Groups > Entitlements > click on Entitlements > click on Add Entitlements, search for users and groups in the Users pane and add the desired desktop pool in the next pane Desktop Pools. This option allows you to review and manage the entitlements for users and groups from a single location5.

The other options are not required or valid for entitling users and groups to pools. Running the Active Directory entitlement script in the golden master is not necessary as Horizon 8 automatically synchronizes with Active Directory domains that are configured in Horizon Console6. Specifying the desired Active Directory OU for the VMs during pool creation does not automatically add the preconfigured associated user group to the Horizon entitlements as you still need to select the users or groups from the search results7. References := 3: VMware Horizon 8 Documentation: Add Entitlements During Pool Creation 4: VMware Horizon 8 Documentation: Add Entitlements After Pool Creation 5: VMware Horizon 8 Documentation: Review and Manage Entitlements 6: VMware Horizon 8 Documentation: Active Directory Requirements for Horizon Connection Server 7: VMware Horizon 8 Documentation: Create an Automated Desktop Pool

A cloud implementation of a VDI solution over an on-premises solution is appropriate for the following scenarios:

• The organization needs to quickly scale-up in disparate geographical locations. A cloud VDI solution can provide faster provisioning, deployment, and management of virtual desktops and applications across multiple regions and data centers. A cloud VDI solution can also offer better performance, availability, and user experience for remote and mobile workers who need to access their desktops and applications from anywhere and any device12.
• The organization has limited CapEx budget. A cloud VDI solution can reduce the upfront capital expenditure (CapEx) required to purchase, install, and maintain the hardware and software infrastructure for a VDI solution. A cloud VDI solution can also lower the operational expenditure (OpEx) by shifting the responsibility of managing, updating, and securing the VDI infrastructure to the cloud provider. A cloud VDI solution can offer flexible and predictable pricing models based on usage, subscription, or consumption13.

The other scenarios are not appropriate for a cloud implementation of a VDI solution over an on-premises solution because:

• The organization already has infrastructure to support a VDI. If the organization has already invested in the hardware and software resources to support a VDI solution, it may not be cost-effective or feasible to migrate to a cloud VDI solution. The organization may also have existing policies, processes, and workflows that are tailored to the on-premises VDI solution and may not be compatible with the cloud VDI solution4.
• The organization needs to setup high availability and disaster recovery. While a cloud VDI solution can provide high availability and disaster recovery capabilities, it may not be sufficient or reliable for some organizations that have strict requirements for data protection, compliance, and business continuity. An on-premises VDI solution can offer more control, customization, and security over the backup, replication, and restoration of the VDI data and applications in the event of a disaster5.
• The organization controls highly confidential data. A cloud VDI solution may pose some risks or challenges for organizations that handle sensitive or regulated data, such as financial, healthcare, or government data. A cloud VDI solution may not meet the compliance standards or regulations that apply to the organization’s data. A cloud VDI solution may also expose the organization’s data to potential breaches, leaks, or unauthorized access by third parties. An on-premises VDI solution can provide more visibility, governance, and encryption over the organization’s data6.

References := 1: VMware: What is Desktop as a Service (DaaS)? 2: Parallels: VDI in the Cloud: Which Cloud VDI Product Is Right for You? 3: Microsoft Azure: What Is Virtual Desktop Infrastructure (VDI)? 4: VMware: On-Premise vs Cloud: Which is Better for Your Business? 5: VMware: Disaster Recovery Solutions for Virtual Desktop Infrastructure (VDI) 6: Microsoft Azure: Virtual desktop infrastructure security best practices

C:\Users\Waqas Shahid\Desktop\Mudassir\Untitled.jpg

To populate logon segment information in the Horizon Helpdesk Tool, the Horizon administrator must enable the timing profiler on all Connection Servers. This is done by executing the command vdmadmin -I -timingProfiler -enable. The timing profiler collects detailed timing data about the logon process, which is then displayed in the Horizon Helpdesk Tool, allowing administrators to troubleshoot and improve logon times.

To enable a virtual machine to power on with a PCI graphics accelerator, such as a GPU, attached to it, the administrator needs to reserve all guest memory for that virtual machine. This is because PCI devices require direct memory access (DMA) to function properly, and memory overcommitment can interfere with DMA operations. Reserving all guest memory ensures that no memory swapping or ballooning occurs on the virtual machine, and that the memory address space is contiguous and available for DMA56.

The other options are not required or valid because:

• Enabling Video Card 3D Graphics is not necessary for using a PCI graphics accelerator. This option is for using software-accelerated graphics or virtual shared graphics acceleration (vSGA) on a virtual machine7.
• Setting Memory Shares to High does not guarantee that all guest memory will be reserved. Memory shares only affect how memory resources are distributed among competing virtual machines when there is memory contention on the host. Memory shares do not prevent memory overcommitment or swapping.
• Disabling CPU Hot Plug does not affect the use of a PCI graphics accelerator. CPU Hot Plug allows adding or removing virtual CPUs from a powered-on virtual machine. It has no relation to PCI devices or DMA operations.

References := 5: VMware vSphere 7 Documentation: Add a PCI Device to a Virtual Machine 6: VMware Knowledge Base: Enabling DirectPath I/O causes virtual machines to fail to power on (1010789) 7: VMware Workstation Pro Documentation: Prepare a Virtual Machine to Use Accelerated 3D Graphics : VMware vSphere Resource Management Documentation: Memory Resource Management : VMware vSphere Virtual Machine Administration Documentation: Hot Add Memory and CPU Resources

Single sign-on (SSO) is a feature that allows users to log in to Horizon Client once and launch remote desktops and applications without being prompted for credentials again. SSO is enabled by default and can be configured in the Global Settings of Horizon Administrator. One of the settings is SSO Timeout, which determines how long the user’s credentials are cached before they expire. If the SSO Timeout is too short, users might be frequently asked for credentials when opening additional apps. To resolve this issue, the administrator can increase the SSO Timeout value or set it to -1, which means that no SSO timeout limit is set. References: Global Settings for Client Sessions in Horizon Console and [VMware Horizon 8.x Professional Course]

https://docs.vmware.com/en/VMware-Horizon-7/7.13/horizon-console-administration/GUID-E2A7CA32-193D-43D9-B08E-DD20CAE9CA28.html

VMware Horizon Cloud on Microsoft Azure is the only deployment solution that meets all the requirements. VMware Horizon Cloud on Microsoft Azure supports Windows 10 Enterprise multi-session desktops, which are a new Remote Desktop Session Host exclusive to Azure Virtual Desktop on Azure1. It also supports App Volumes, which is a real-time application delivery system that enables IT to instantly provision applications to users or desktops. VMware Horizon Cloud on Microsoft Azure supports centralized brokering, which means that the Horizon Cloud Service acts as a single point of entry for end users to access their virtual desktops and applications. VMware Horizon Cloud on Microsoft Azure also supports automatic routing of end-users to the most appropriate virtual workspace, using the Universal Broker feature. Universal Broker is a cloud-based brokering service that provides a unified user experience across multiple Horizon pods and clouds.

VMware vSphere Desktop Edition does not support Windows 10 Enterprise multi-session desktops, as they are only available on Azure Virtual Desktop1. VMware Workspace ONE Unified Endpoint Management does not support App Volumes, as it is a different solution for managing devices and applications. VMware Horizon On-Premises does not support automatic routing of end-users to the most appropriate virtual workspace, as it requires manual configuration of load balancing and global entitlements. References:

• Profile production applications in Azure with Application Insights Profiler1
• Using Application Profiler - VMware Docs2
• First look at profiling tools - Visual Studio (Windows)3
• App Volumes Overview
• Horizon Cloud Service on Microsoft Azure Architecture
• Universal Broker Overview
• Workspace ONE UEM Overview
• Load Balancing Across Pods and Sites in a Cloud Pod Architecture Environment

The issue described indicates that the Horizon Connection Server is incorrectly handling traffic that should be directed to the Unified Access Gateway (UAG) and then to the VDI desktops. Disabling the Tunnel and Gateways settings on the Horizon Connection Server forces the UAG to handle the Blast traffic directly, ensuring that the connections are made to the VDI desktops' IP addresses, thus resolving the black screen and disconnection issue.

JPEG/PNG - Still images.

H.264: Rapidly moving content and motion graphics such as streaming video, video editing, and gaming.

HEVC: Rapidly moving content on a low bandwidth resource.

Proprietary Blast codec: Low-motion graphics, high-quality graphics such as Photoshop, and AutoCAD.

To enable the Senior Administrator's team, which is part of the "Horizon View Operators" AD group, to connect to vCenter and update the golden image, the Senior Administrator needs to assign the appropriate permissions in the vSphere Client. By adding the group to the vCenter Server with the necessary roles and privileges, members of the "Horizon View Operators" group will be able to access and modify the VMs required for maintaining the desktop pools in the VMware Horizon environment.

VMware vSAN is a storage product that allows the pooling of resources to create datastores in a software defined datacenter. VMware vSAN is a hyper-converged infrastructure solution that integrates compute, storage, and networking resources on industry-standard x86 servers. VMware vSAN aggregates local or direct-attached data storage devices to create a single storage pool shared across all hosts in the vSAN cluster. VMware vSAN enables you to provision and manage storage from the VMware vSphere Web Client or the VMware vCenter Server Appliance Shell. VMware vSAN provides several benefits, such as lower total cost of ownership, simplified management, high performance, scalability, and availability12. References := 1: VMware Horizon 8 Documentation: VMware vSAN Overview 2: VMware Horizon 8 Documentation: Benefits of Using VMware vSAN with Horizon 8

C:\Users\Waqas Shahid\Desktop\Mudassir\Untitled.jpg

VMware Horizon Client Configuration

To enable an instant-clone pool to use NVIDIA GRID vGPU, the administrator needs to do the following:

• Install NVIDIA GRID vGPU in the physical ESXi hosts and select Shared Direct in the Host Graphics Settings12.
• Prepare a golden image with NVIDIA GRID vGPU configured, including selecting the vGPU profile to use12.
• Take a snapshot of the golden image12.
• In Horizon Console, when creating an instant-clone pool, select Manage Using vSphere Client in the 3D Render field. Instant-clones inherit the settings configured in the vSphere Client for the golden image12.

Therefore, the possible reasons for the issue are:

• The administrator has selected Shared instead of Shared Direct when editing the Host Graphics Settings for the ESXi host in the vCenter Server. This option is for vSGA, not vGPU3.
• The golden image and snapshot that the administrator selected has not been configured for NVIDIA GRID vGPU. The administrator needs to verify that the correct vGPU profile is selected and that the NVIDIA drivers are installed in the golden image4.

The other options are not valid because:

• Horizon 8 does have an explicit 3D renderer option for instant clone, but it is Manage Using vSphere Client, not NVIDIA GRID vGPU12.
• Instant-clone pools do support NVIDIA GRID vGPU as long as the ESXi hosts and the golden image are properly configured12.

References := 1: VMware Horizon 8 Documentation: Enable NVIDIA GRID vGPU for Instant-Clone Pools 2: VMware Horizon 8 Documentation: Configuring 3D Rendering for Automated Instant Clone Farms 3: VMware Horizon 8 Documentation: Types of Graphics Acceleration 4: VMware Horizon 8 Documentation: Prepare a Virtual Machine to Use Accelerated 3D Graphics