Folder Redirection for Roaming Profiles on a slow link
Monday, June 16th, 2008 at 12:56 pm
Samba acting as a Primary Domain Controller (PDC) can be a marvelous thing. But, just like any Windows environment, required an awful lot of bandwidth and resources for serving Windows profiles. Usually this is not a problem in an office environment, where the network can be managed and configured to use ethernet to deliver 100mbit or even 1000mbit throughput to each client machine. But what if you aren’t in the office, wanting to connect to a domain and retrieve your profile from a laptop?
OpenVPN can connect the remote computer into the work network, allowing access to resources available in the office. These services can include the PDC, allowing for authentication to network file shares and roaming profiles to be accessed, as well as a VoIP telephony, e-mail, and others. Information on this step can be found here. (NO LONGER AVAILABLE SORRY!)
However, Roaming Profiles can often grow to be quiet large. If downloaded files are saved to the Desktop, or My Documents used for per-user file storage, you can easily expect a few gigabytes of data per profile. The default behavior for Roaming Profiles in a Windows network is to download the entire profile upon log-in, and upload the entire profile when logging out. Even on a fast ethernet network, this process can take a few minutes to churn. It’s impossible to perform these tasks more than once a lifetime if using DSL, or WiFi on any remote site.
The solution is, to instead of downloading the entire profile, only require the user to download what is absolutely essential. The rest of the data could be accessed like another file share, where files are only called when requested, and saved to the remote share when instructed.
For the sake of space, I will only go in to implementing this on Windows 2000 domains and above, using Samba 3.
The first step is setting up Samba as PDC, which is explained elsewhere. The parameters “logon home” and “logon drive” can be added to the “[general]” section of smb.conf to automatically mount H: to the location of the users’ profile on the PDC at log-on.
logon drive = H:
logon home = \\%L\profiles\%U
At this point, it is time to make some unconventional changes. To prevent Windows from downloading and uploading the possibly enormous profile, we can take advantage of the per-computer Group Policy Objects. Run gpedit.msc on the machine you wish to configure for remote Roaming Profiles, and navigate to Computer Configuration→Administrative Templates→System→User Profiles. You may chose to change some of these parameters to your liking, but the important ones to Enable are Only allow user profiles and Prevent Roaming Profile changes from propagating to the server. This may seem unorthodox, but what this does is force the profile to reference the live server copy of the profile instead of a downloaded local copy. Reboot after changing the Group Policy for them to take effect.
At this point, logging in will only download profile settings from NTUSER.DAT and associated files, ignoring the rest of the data. You may notice the H: drive is now mounted on login and contains the profiles data.
Now, since we now have direct access to the profile on the server, we can make change to the users’ NTUSER policy to reference them on the live share mounted as H:.
This can be done two ways. The first, and what I find easiest, is to log in as the user and open regedit, navigating to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. The keys in this path are what are to be changed to match our new profile location at H: rather than a local copy.
The second is to copy the users’ NTUSER.DAT from their profile on another computer, and load it into regedit on it’s own. Once you have the users’ NTUSER.DAT, navigate to HKEY_LOCAL_MACHINE, select File→Load Hive, select the NTUSER.DAT file (enter any name for this hive, it is only a temporary identifier), then navigate to HKEY_LOCAL_MACHINE\<hive name>\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Not all of these keys are to be changed however. Cache, Cookies, History, Local AppData, and Local Settings should be left using %USERPROFILE% as their default path, since their contents will be specific only to the local computer, and would decrease performance of the network significantly if they were uploaded to the server on use.
The keys that should be changed, are AppData, Desktop, Favorites, My Pictures, NetHood, Personal, PrintHood, Programs, Recent, SendTo, Start Menu, Startup, and Templates. Replacing %USERPROFILE% in each of these keys to just H: will ensure that the corresponding files will be accessed live from the profile share.
This seems to work wonderfully. Log on times happen in a matter of seconds, even if the Desktop has 500MB of files, and your Application Data has grown enormously. You may require some tweaking to programs that rely on Application Data when Local Settings/Application Data may be more appropriate. One example is Thunderbird e-mail cache, which is slow to write over live share and would be better moved to only a local filesystem.
Also note that changing the Local Settings paths to anything other than a local store will result in the log on error “Windows Cannot Load You Roaing Profile And Has Loaded Your Default Profile – DETAIL – Incorrect Function.” The Local Settings should be kept locally, anyway.
Folder Redirection for Roaming Profiles on a slow link
OpenVPN can connect the remote computer into the work network, allowing access to resources available in the office. These services can include the PDC, allowing for authentication to network file shares and roaming profiles to be accessed, as well as a VoIP telephony, e-mail, and others. Information on this step can be found here. (NO LONGER AVAILABLE SORRY!)
However, Roaming Profiles can often grow to be quiet large. If downloaded files are saved to the Desktop, or My Documents used for per-user file storage, you can easily expect a few gigabytes of data per profile. The default behavior for Roaming Profiles in a Windows network is to download the entire profile upon log-in, and upload the entire profile when logging out. Even on a fast ethernet network, this process can take a few minutes to churn. It’s impossible to perform these tasks more than once a lifetime if using DSL, or WiFi on any remote site.
The solution is, to instead of downloading the entire profile, only require the user to download what is absolutely essential. The rest of the data could be accessed like another file share, where files are only called when requested, and saved to the remote share when instructed.
For the sake of space, I will only go in to implementing this on Windows 2000 domains and above, using Samba 3.
The first step is setting up Samba as PDC, which is explained elsewhere. The parameters “logon home” and “logon drive” can be added to the “[general]” section of smb.conf to automatically mount H: to the location of the users’ profile on the PDC at log-on.
logon drive = H:
logon home = \\%L\profiles\%U
At this point, it is time to make some unconventional changes. To prevent Windows from downloading and uploading the possibly enormous profile, we can take advantage of the per-computer Group Policy Objects. Run gpedit.msc on the machine you wish to configure for remote Roaming Profiles, and navigate to Computer Configuration→Administrative Templates→System→User Profiles. You may chose to change some of these parameters to your liking, but the important ones to Enable are Only allow user profiles and Prevent Roaming Profile changes from propagating to the server. This may seem unorthodox, but what this does is force the profile to reference the live server copy of the profile instead of a downloaded local copy. Reboot after changing the Group Policy for them to take effect.
At this point, logging in will only download profile settings from NTUSER.DAT and associated files, ignoring the rest of the data. You may notice the H: drive is now mounted on login and contains the profiles data.
Now, since we now have direct access to the profile on the server, we can make change to the users’ NTUSER policy to reference them on the live share mounted as H:.
This can be done two ways. The first, and what I find easiest, is to log in as the user and open regedit, navigating to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. The keys in this path are what are to be changed to match our new profile location at H: rather than a local copy.
The second is to copy the users’ NTUSER.DAT from their profile on another computer, and load it into regedit on it’s own. Once you have the users’ NTUSER.DAT, navigate to HKEY_LOCAL_MACHINE, select File→Load Hive, select the NTUSER.DAT file (enter any name for this hive, it is only a temporary identifier), then navigate to HKEY_LOCAL_MACHINE\<hive name>\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Not all of these keys are to be changed however. Cache, Cookies, History, Local AppData, and Local Settings should be left using %USERPROFILE% as their default path, since their contents will be specific only to the local computer, and would decrease performance of the network significantly if they were uploaded to the server on use.
The keys that should be changed, are AppData, Desktop, Favorites, My Pictures, NetHood, Personal, PrintHood, Programs, Recent, SendTo, Start Menu, Startup, and Templates. Replacing %USERPROFILE% in each of these keys to just H: will ensure that the corresponding files will be accessed live from the profile share.
This seems to work wonderfully. Log on times happen in a matter of seconds, even if the Desktop has 500MB of files, and your Application Data has grown enormously. You may require some tweaking to programs that rely on Application Data when Local Settings/Application Data may be more appropriate. One example is Thunderbird e-mail cache, which is slow to write over live share and would be better moved to only a local filesystem.
Also note that changing the Local Settings paths to anything other than a local store will result in the log on error “Windows Cannot Load You Roaing Profile And Has Loaded Your Default Profile – DETAIL – Incorrect Function.” The Local Settings should be kept locally, anyway.
Useful Resources: