Folder redirection fun with DFS and NAS

Folder redirection has been around since Windows 2000 and has undergone significant changes since then. The core function is the same: take a local directory path and point it somewhere else, without the user knowing or caring that it isn’t local. The advantages of this are that your users can store their important documents “on the network” without having to map drives or instructing them to save in a certain location. You can selectively redirect documents and app data but exclude photos, music, etc if you choose. In this example, I am interested in redirecting My Documents for all users to a secure, redundant, and high performance NetApp Filer. Technologies involved are Windows 7 Enterprise, Server 2008 R2 DFS, and NetApp CIFS shares running on a FAS2020.

First thing, create your CIFS shares on the filer. The way NetApp NAS with the CIFS protocol works is that the filer actually becomes a member of your domain. You can even apply certain GPO settings to it! The stated domain type is incorrect as I’m running in 2008 R2 native mode, but this doesn’t affect anything functionally from what I can tell.

 image 

Your CIFS shares are then managed just like a regular Windows server. You can even connect to the filer via the computer management MMC.

image

Each share you create exists inside a volume and has an associated qtree. All the other NetApp goodies still apply: deduplication, snapshots, auto volume grow, and opportunistic locking. The rest of the options look very much like a regular Windows file server.

image

I have created a single hidden share called Users$ that sits in a 300GB volume. All of my user’s My Documents will live here. Following best practices, I have granted authenticated users full control to the share as I will control granular access permissions with NTFS. We’re ready to prepare the DFS namespace.

Now in my redirection GPO I could simply point all users to redirect to \\<filername>\users$\<username> but one of the values DFS provides is a consistent domain-based namespace: \\domain\<dfsRoot>\<redirection_root>\<username>. Everything that will exist as a file share in my environment will be accessible via a DFS namespace, much cleaner this way and much easier to change targets should I need to enact my DR plan which I would do via folder targets to my DR filer. I first create a new domain-based namespace in Server 2008 mode called Users (add a $ to the end to make it hidden):

image

This is simply the DFS root which lives in the local file system space on my namespace server (domain controller). To be able to point to my filer I need to create another folder inside of this DFS root, that can then be targeted to a matching folder on my NAS. So I will create a new folder called “root” on both NAS: \\cufas2\users$\ and DFS: \\domain.com\Users\. First create the new root folder on NAS then add a folder to DFS with a target that will point to the root folder on the filer. Additional targets can be configured and controlled for redundancy, replication, and DR.

image

Before we configure the GPO let’s set permissions on the Root folder. This is a critical step and is what will ultimately make or break this configuration. Since this is the root folder for the entire share, remove permission inheritance and set the following permissions:

  • CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
  • System - Full Control (Apply onto: This Folder, Subfolders and Files)
  • Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
  • Authenticated Users - Create Folder/Append Data (Apply onto: This Folder Only)
  • Authenticated Users - List Folder/Read Data (Apply onto: This Folder Only)
  • Authenticated Users - Read Attributes (Apply onto: This Folder Only)
  • Authenticated Users - Traverse Folder/Execute File (Apply onto: This Folder Only)

image

This will allow all users to programmatically create their directory folders beneath the root folder as well as be granted full control to them without the ability to see anyone else’s folders. Domain Admins will have full control to all folders. Now we’re ready to set up our folder redirection GPO.

Folder redirection is a user configuration setting so the GPO that contains these settings must be linked to an OU that houses user accounts, or linked high enough in the AD tree so that user-housing OUs will inherit. Redirection can be set in basic or advanced mode, basic redirecting everyone to the same location. Advanced enables the opportunity to redirect users differently based on security group. In either case you can redirect to the user’s home directory, create a folder for each user under the specified root, redirect to a specific location or to the user’s local %userprofile% path. I will be using the “create a folder” option under the advanced mode and the path is the DFS root created earlier: \\domain.com\users$\root. For now the policy will apply to one group, domain users, but I will have future flexibility should I need to have additional groups redirected differently. The effect of this policy is that each user, once successfully redirected, will automatically have a new folder under the root directory named after their username, with the documents folder beneath it. Any other folders I choose to redirect will also live under this %username% directory.

image

Additionally, you can grant the user exclusive access to their folder which keeps out even domain admins and creates problems for backups. Since we’ve set very specific permissions on the root we don’t need to worry about this anyway. The other pertinent option is to move the contents of the source to the destination which I have had problems with in my environment. I’ll be leaving both of these unchecked.

image

Now when a user logs into any machine in the enterprise they will see the exact same documents folder which lives safe and sound on an enterprise storage array. Should the primary array fail, DFS will repoint their redirected documents to a DR filer in another datacenter.

 image

Something else to consider for your laptop users is offline files in conjunction with folder redirection. I have this enabled by default for all laptops and expressly disable them for desktops. This is a good compromise so that laptop users will enjoy the benefits of redirection while in the office but will also be able to access and work on these documents while away. The next time they connect to the corporate network any changes they made to an offline file will sync back up with their redirected folders on the NAS.

0 Comments