DFS for user profiles, redirected folders and general shares

[XenosTech]

So I have a query... The scenario is that we have  2 sites with each having their own dc but the users are shared to both DC's. We want to be able to have users roam between the 2 sites for work but we also want them to be able to access their user profile off whichever DC the original one is on, gain access to the general shares and specific shares attached to the original profile.

 

I read up microsoft doesn't really support this but we need a system like this setup.

[leadeater]

Your not actually storing roaming profiles on a domain controller are you? Don't do that use a dedicated file server.

 

Yes you can actually do what you want. First make sure you have setup your two sites in Active Directory Sites and Services, put the correct IP subnets and DC in each site then users will only authenticate to the DC on the local site unless it is offline.

 

Next you want to use DFS-R to replicate the shares to both sites, DFS will then use the most local copy of the data/share.

 

Also make sure your using a dedicated top level share for roaming profiles and another for home drive/folder redirection.

 

See here for more general information, so do a forum search for 'Folder Redirection' and 'Roaming Profiles'

 

 

[XenosTech]

3 minutes ago, leadeater said:

-snip-

 

So if a user has to go to both sites in a day what would happen in that regard ?

I'll read the stuff you linked when I get home (work is finally done yay)

[leadeater]

26 minutes ago, XenosTech said:

So if a user has to go to both sites in a day what would happen in that regard ?

I'll read the stuff you linked when I get home (work is finally done yay)

DFS-R is real time replication, you can define a schedule of what time ranges it is allowed to replicate and also limit the bandwidth if you need to.

 

An important note, DFS-R will not replicate open files. Files needs to be closed before it will replicate the changes/new file. Isn't really a big issue but something to keep in mind if you have more than one laptop/computer you use and leave something open then travel to the other site and expect to be able to see changes in say a word doc you were editing that is still open.

[Falconevo]

DFS replication has some pretty serious issues with file locking, if the user leaves a file open and in use on their application on Site A for example, that will cause a backlog queue to be created on the DFS replication service.

 

If the two sites share the same AD infrastructure, then this is technically possible however you will need to delve in to the realms of debugging DFS issues as they will occur regularly.  Another problem with DFSR is that it has no rate limiting capability by default, the default schedule will replicate at all times at the maximum available throughput.  This won't be nice on your cross site VPN or MPLS etc etc, it will chew bandwidth and potentially cause a knock on effect for other service(s).  The plus with DFSR is you can use a name space and have the roaming profiles direct to the name space value rather than a file path.  Bare in mind though that you have to set the primary server correctly for each site otherwise you will have data going back and forth between sites unnecessarily.  E.g User A in Site A loads profile from Site B instead of Site A = increased network bandwidth.

 

With 2012 R2 + you can also perform DFS replication off a file cluster, so if you had a file cluster in Site A and in Site B, DFS now allows replication between the two file clusters.  A normal file server will work just fine also but give you no highly available service in each site.

 

I would suggest looking through the dfsrdiag stuff and learning DFS before heading in to this one.

 

 

[leadeater]

52 minutes ago, Falconevo said:

 Another problem with DFSR is that it has no rate limiting capability by default, the default schedule will replicate at all times at the maximum available throughput.

It has rate limiting, or does since Server 2008 R2 when I last/first used it. Having a default limit isn't really possible since what should it be? Not something you can properly hand hold, best leave it off and allow to define it.

 

53 minutes ago, Falconevo said:

I would suggest looking through the dfsrdiag stuff and learning DFS before heading in to this one.

+1 to that. DFS is great and is extremely useful. DFS Replication is less than perfect and has plenty of quirks, particularly around temporary files and system files.

 

Standard DFS with storage array level replication is better but I'm assuming in this case that is not possible.

[XenosTech]

14 hours ago, Falconevo said:

-snip-

 

13 hours ago, leadeater said:

-snip-

I was mostly asking for a client.. I basically told him there was a way to do it but I'm not really familiar with AD and that kind of stuff... Hardware and backup applications are more of where my strengths lie now since I've been at this job.

[Falconevo]

10 minutes ago, XenosTech said:

 

I was mostly asking for a client.. I basically told him there was a way to do it but I'm not really familiar with AD and that kind of stuff... Hardware and backup applications are more of where my strengths lie now since I've been at this job.

Fair enough if you do get backed in to a corner for supporting or implementing it.  Let me know and I will at least be able to give you a head start.

[XenosTech]

1 minute ago, Falconevo said:

Fair enough if you do get backed in to a corner for supporting or implementing it.  Let me know and I will at least be able to give you a head start.

I'm probably not going to be the one implementing it... I'm just doing the research for now, though I may be the one to build out the file servers if anything.

[XenosTech]

Question to the both of ya @Falconevo @leadeater. Since this has to potential to be a mixed environment (win10 romain profiles with win7 profiles) What would be better to use... Roaming profiles or folder redirection ?

 They've had an issue where some of their win7 machines force upgraded to win 10 and some of the users profiles were corrupted, so they had to get a fresh AD profile and what now but they can't load their win10 profile on a win 7 and vice versa.

[Falconevo]

Unfortunately the profiles are now different on Windows 10, migrating them will need to be done manually otherwise you get corruption.  It's not the first I have heard of it, the profile system is different but MS didn't think of that when force upgrading people.  The group policy administrator should be in control of updates applied to systems and shouldn't let them just auto update.

Regarding your question about roaming vs redirection.. It depends on the user base you have, do you have a lot of people with laptops that move between sites or do you have static machines on each site that people would hot-desk to when the move over?

[XenosTech]

6 minutes ago, Falconevo said:

Unfortunately the profiles are now different on Windows 10, migrating them will need to be done manually otherwise you get corruption.  It's not the first I have heard of it, the profile system is different but MS didn't think of that when force upgrading people.  The group policy administrator should be in control of updates applied to systems and shouldn't let them just auto update.

Regarding your question about roaming vs redirection.. It depends on the user base you have, do you have a lot of people with laptops that move between sites or do you have static machines on each site that people would hot-desk to when the move over?

I know profiles are diff in win10 (this client's environment has a lot of corruption from the force updates). In regards of size it's a small environment think around 50ish people might be less. All of them move between the 2 site frequently on any give day (may be short of staff at one site for a time frame during the day etc) and speaking with him not to long ago he's going to let them use their own personal laptops along side the company desktop so that'll add more confusion to the roaming profiles. He uses both FR and RP so at this point I'm thinking to talk him out of using RP and just stick to FR since that would work better than RP in this case.

[Falconevo]

Personal laptops are a massive no no, I implore you to get this individual to reconsider and ban all personal laptops in a business.  It is bad news and you will regret it shortly after doing it.

 

If people are simply moving to static desktops on each side, I would use folder redirection to the UNC path/namespace specified for the location of the profile.  This is assuming you have the same AD structure spanned across both sites.

[XenosTech]

1 minute ago, Falconevo said:

Personal laptops are a massive no no, I implore you to get this individual to reconsider and ban all personal laptops in a business.  It is bad news and you will regret it shortly after doing it.

 

If people are simply moving to static desktops on each side, I would use folder redirection to the UNC path/namespace specified for the location of the profile.  This is assuming you have the same AD structure spanned across both sites.

Man he's hell bent on doing it so I'll leave him to that. I'm just trying to minimize profile corruption so I'll talking him into doing FR instead of RP (which I find to be a nuisance) and everything will be linked to GPO so I don't think personal laptops are going to break their domain, since with FR they'll just get the shares associated with the  AD profile.

[Falconevo]

Expect to get a file share, domain user profile and/or application content cryptolocked in the first 18 months if you allow for personal laptops to be used.

[XenosTech]

30 minutes ago, Falconevo said:

Expect to get a file share, domain user profile and/or application content cryptolocked in the first 18 months if you allow for personal laptops to be used.

You mean that whole ransom ware thing ? He basically allows users to do it now just not at both sites as yet.

[leadeater]

7 hours ago, XenosTech said:

Question to the both of ya @Falconevo @leadeater. Since this has to potential to be a mixed environment (win10 romain profiles with win7 profiles) What would be better to use... Roaming profiles or folder redirection ?

 They've had an issue where some of their win7 machines force upgraded to win 10 and some of the users profiles were corrupted, so they had to get a fresh AD profile and what now but they can't load their win10 profile on a win 7 and vice versa.

When you give a user account a profile path it will create a profile for each OS version, or more correctly profile version used in the OS. You should see something like [useraccount], [useraccount].V2 and [useraccount].V3

 

Going purely off memory V2 is used for Vista, Windows 7 and Windows 8/8.1 until a later hotfix where Windows 8 used V3 and Windows 8.1 used V4. Windows 10 uses V5. Basically you should be having problems with profiles conflicting when moving between computers with different OS versions, only issue you should get is if a profile get upgraded and broken, delete the profile and letting news ones get created should fix any issues.

 

https://support.microsoft.com/en-us/help/3056198/roaming-user-profiles-versioning-in-windows-10-and-windows-server-technical-preview

 

7 hours ago, XenosTech said:

What would be better to use... Roaming profiles or folder redirection ?

Never use roaming profiles without folder redirection, login/logout times will epic suck if they have a lot of documents. You can however use folder redirection without roaming profiles.

 

Roaming profiles get downloaded in full on login and uploaded in full on logout. What happens if you have 50GB of documents .

 

Folder redirection on the other hand just moves where your files are stored and only touches them when the user does, open/close/create/save.

[XenosTech]

2 hours ago, leadeater said:

When you give a user account a profile path it will create a profile for each OS version, or more correctly profile version used in the OS. You should see something like [useraccount], [useraccount].V2 and [useraccount].V3

 

Going purely off memory V2 is used for Vista, Windows 7 and Windows 8/8.1 until a later hotfix where Windows 8 used V3 and Windows 8.1 used V4. Windows 10 uses V5. Basically you should be having problems with profiles conflicting when moving between computers with different OS versions, only issue you should get is if a profile get upgraded and broken, delete the profile and letting news ones get created should fix any issues.

 

https://support.microsoft.com/en-us/help/3056198/roaming-user-profiles-versioning-in-windows-10-and-windows-server-technical-preview

 

Never use roaming profiles without folder redirection, login/logout times will epic suck if they have a lot of documents. You can however use folder redirection without roaming profiles.

 

Roaming profiles get downloaded in full on login and uploaded in full on logout. What happens if you have 50GB of documents .

 

Folder redirection on the other hand just moves where your files are stored and only touches them when the user does, open/close/create/save.

So I should be basically be telling this guy to just use redirection to save the pulling out of hair

[leadeater]

1 hour ago, XenosTech said:

So I should be basically be telling this guy to just use redirection to save the pulling out of hair

Yep, unless users really care about customization/settings following between computers which tbh they really don't. Not even an issue if they commonly use the same device anyway.

[XenosTech]

2 minutes ago, leadeater said:

Yep, unless users really care about customization/settings following between computers which tbh they really don't. Not even an issue if they commonly use the same device anyway.

Nice... Guess the only thing left for me to research is the changing of the domain name. I'm going to go mad with this influx of info .-.

[XenosTech]

On 1/27/2017 at 2:51 PM, Falconevo said:

double post

[XenosTech]

@leadeater @Falconevo how familiar are you two with exchange 2013 ?

[Falconevo]

53 minutes ago, XenosTech said:

@leadeater @Falconevo how familiar are you two with exchange 2013 ?

Depends what you are trying to accomplish

[XenosTech]

1 minute ago, Falconevo said:

Depends what you are trying to acomplish

Installing the management shell on a different server since the current one is giving an error

[Falconevo]

As long as the machine resides on the the same domain as the exchange system, you can install the management tool/role via the exchange setup and manage it with an administrative domain account.

However, fixing the error with management on the actual exchange host may be quicker.  Got any info on the error you are getting?