User data: Where the profiles roam
Keeping track ain't so easy
Blog Trying to write an article concerning actual real world implementation of technologies like roaming profiles and folder redirection has proven surprisingly difficult.
At first blush it would appear to be a straightforward project: distil the research I have done on the subject over the past few weeks, combine it with several years of experience in the area and produce a 'how to'. Hopefully I can even throw in a bit of levity and a tone that makes the subject approachable by systems administrators who have only been ever so briefly introduced to the topic before it was on to the next chapter.
The reality of the situation has proven to be quite different.
Of all the things that have caused friction in my career, ensuring that user data is put in the right place so that it can be made redundant and backed up is the big one. It ties into other things, such as VPN versus VDI, network bandwidth and limits of local storage. There are liability concerns regarding the confidentiality of synchronised data, what should be locally cached, what shouldn’t. Most importantly perhaps, things like offline document availability are a huge concern for my travelling users. Since the topic is so vast and interconnected, I find it impossible to simply spit out raw information without context.
The problem is that when dealing with technologies designed to copy, redirect or in any way change the default storage behaviour of user data, the context is absolutely critical. Blindly implementing any of these technologies is one of the biggest (and sometimes last) mistakes that a systems administrator can make at any company.
So instead of an article that simply lists the click-by-click details of how to administrate these technologies, I am going to take the opportunity to have a frank discussion about the different scenarios you are likely to encounter. I leave it up to you to Google the actual implementation details.
The first scenario, and possibly the easiest, is one in which all your users are local or 'on net' all the time. Every single user you have is connected to the corporate network in one way or another, no exceptions. These could be folks on a VPN link, site-to-site links, RDPed into virtual machines, or even sitting in the same building as the servers themselves. Let’s dispense with the formalities and just outright say this folder redirection is the way to go here. Unless your users are hoteling (more on that later) roaming profiles is simply a bad plan. With folder redirection you don’t need to copy the whole profile over to the server every logon, you can simply redirect Application Data, Desktop, My Documents, and Start Menu to the server via group policy.
This is quite simply the quickest and most robust way to deal with this problem. The data is simply stored on the server, and since your users are required to be connected to the network at all times, then that data never has to be replicated anywhere. A VPN user (say teleworking from home) would not have a local copy of these folders, and would therefore have reduced liability exposure. The caveat of course is that you have to have wide enough network pipes between your users and your server, and the server itself needs to be fast enough to serve the data to users at something more than a glacial pace.
There are a couple of things to bear in mind about folder redirection. If you are implementing folder redirection for branch offices, you might consider plunking a file server in each branch, and using a combination of distributed file system (DFS) and distributed file system replication (DFSR) in tandem with folder redirection. DFS and DFSR can take care of replicating the data from the branch back to head office for you, and your users would have access to a higher-speed local copy of their data. All while still being stored on RAIDed and backed-up servers.
Also bear in mind that folder redirection is designed to work in tandem with offline files and folders. In order to store the user data on the server, but prevent long, tedious and unnecessary synchronization, make sure that offline files and folders is either disabled by group policy, or that the relevant folders are excluded individually on each machine.
Of course, even with all users being on net, there are still usage scenarios that can throw roaming profiles or folder redirection for a loop. In my previous article I mentioned users that log onto more than one machine (hoteling). If the user expects their 'user experience' to be the same on each PC, (ie their settings for various programs go with them from computer to computer) you may not be able to get away with just folder redirection.
Sponsored: Customer Identity and Access Management