Work Folders Test Lab Deployment

Work Folders Test Lab Deployment

  • Comments 11
  • Likes

Hi, everyone. I’m Jane Yan, a PM on the Work Folders team. I presented a session on Work Folders with Adam Skewgar, and demoed how it works both on the client and server (A Deep Dive into the New Windows Server Data Sync Solution). This blog post will show you step by step on how to build the demo environment shown in the sessions. Please note the guide is using the Preview release build, and the experience will differ slightly in the final RTM release.

Overview

Work Folders is a new feature introduced in Windows Server 2012 R2 that enables user access their work related files on the devices which has configured Work Folders, no matter whether the devices are joined to a domain or not, and whether the devices are connected directly to the corpnet or over the internet. Work Folders is available in Windows Server 2012 R2 Preview, and Windows 8.1 Preview. This step by step guide will use the Preview release for both server and the client.

Topology

The simplest setup for lab test of Work Folders requires the following computers or VMs:

  1. Active Directory Domain Services domain controller (DC)
  2. File server running Windows Server 2012 R2
  3. 2 client PCs running Windows 8.1 or Windows RT 8.1 (to observe documents sync between 2 devices)

In the lab testing, VMs are more convenient, I’ll provide the end to end setup using VMs . This test environment does not require you to publish any URLs for Work Folders.

Express lane

This section provides you a checklist on how to setup the lab environment, detailed procedures are covered in the later sections.

VM setup

This section assumes you have knowledge on setting up VMs, domain controller, and a virtual network. By end of this section, you will have a domain setup with the server and one client machine joining to the domain.

Configure Network

In the Hyper-V Manager console, create a Virtual Switch marked as Private.

Configure the VMs to use the Private network.

DC setup

  1. Create a VM using Windows Server 2012 R2
  2. Rename the VM to DC.
  3. Configure the IP of the server as 10.10.1.10
  4. After the VM setup, open Server Manager, and then add the following roles:
  • Active Directory Domain Services
  • DHCP Server (Note: this role is optional. You can also configure static IP for each VM without enabling DHCP)
  • DNS Server
  • Complete the wizard, then click on promote DC link “Promote this server to a domain controller”

clip_image002

  • Use the wizard to create a new forest as “Contoso.com”, and configure the DC appropriately.
  • Add a new scope in DHCP, such that other machines on the network can get IP address automatically. Make sure all the machines are on the same subnet, and pointing to 10.10.1.10 as the DNS server. Note: this is optional, you can also manually configure other machines with static IP.

Server setup

  1. Create a VM using Windows Server 2012 R2.
  2. Rename the VM to SyncSvr.
  3. Join the SyncSvr machine to the domain Contoso.com
  4. Optionally, if you use static Ip, configure the Ip on this server as 10.10.1.12

Client setup

  1. Create 2 VMs using Windows 8.1
  2. Rename VM1 to OfficePC
  3. Optionally, if you use static Ip, configure the Ip on this client as 10.10.1.15
  4. Rename VM2 to HomePC
  5. Optionally, if you use static Ip, configure the Ip on this client as 10.10.1.16
  6. Join OfficePC to the contoso.com domain.

User and Security group creation

Work Folders can be configured to domain users, you need to create a few test users in the AD. For testing purposes, let’s create 10 domain users (U1 to U10).

We recommend controlling access to Work Folders through security groups. Let’s create[n1] one group named “Sales”, with scope “Global” and type “Security”, and add the 10 domain users (U1 to U10) in the Sales security group.

Sync Server configuration

Now the fun starts. For all the operations performed on the server, I’ll show the UI through Server Manager, and followed by the equivalent Windows PowerShell cmdlet.

Enabling the Work Folders role

Using Server Manager UI

    1. Launch the Server Manager on SyncSvr.
    2. On the dashboard, click “Add roles and features”.
    3. Follow the wizard, on the Server Role selection page, choose Work Folders under File and Storage Services:

clip_image003

  1. Complete the wizard.

Using PowerShell cmdlet

PS C:\> Add-WindowsFeature FS-SyncShareService

Create Sync Share

Using Server Manager UI

A sync share is the unit of management on the sync servers. A sync share maps to a local path where all the user folders will be hosted under, and a group of users who can access the sync share.

Steps

Screenshots

Description

Launch New Sync Share Wizard from Server Manager

 

Provide the local path where user folders will be created under, type C:\SalesShare, and then click Next.

clip_image004

There are 2 options to specify the local path:

If you have a local path that is configured to be an SMB share, such as a folder redirection share, you can simply select the first option “Select by file share”. For example, as the screenshot shown above, I had one SMB share created on this server, which points to the C:\finshare location. I can simply enable the path “c:\finshare” for sync by select the first radio button.

If you are creating sync share first, ((without the SMB share configuration), you can provide the local path directly in the second option, which I’m using in the demo.

Select the user folder format, choose the default user alias, and click Next.

There are 2 options you can select from the UI:
Using user alias. This is selected by default, and it is compatible with other technologies such as folder redirection or home folders

clip_image007Using alias@domain. This option ensures the uniqueness of the folder name for users across domains.
clip_image008

 

Admin can choose a subfolder “Document” as the folder to be synced to devices, and leaving other folders still functioning with Folder redirection. To do so, check “Sync only the following subfolder”

Sync only the following subfolder: By default, all the folders/files under the user folder will be synced to the devices. This checkbox allows the admin to specify a single subfolder to be synced to the devices. For example, the user folder might contain the following folders as part of a Folder Redirection deployment:

clip_image010

Provide the sync share name and description (optional), and click Next

clip_image012

 

Assign security groups for sync share access by clicking the Add button and entering the Sales security group (created in section User and Security group creation). Then click Next

clip_image014

By default, the admin will not be able to access the user data on the server. If you want to have admin access to user data, uncheck the “Disable inherited permissions and grant users exclusive access to their files” checkbox.

As part of this assignment, the share creation will modify the NTFS folder permission on the sync root, to ensure users in the security group can create their folders, and access documents to only their own folder.

The table below shows the permissions which will be configured as part of the sync share creation:

User account

Minimum permissions required (configured by Sync Share setup)

Creator/Owner

Full control, subfolders and files only

Security group of users needing sync to the share

List Folder/Read data, Create Folders/Append data, Traverse folder/execute file, Read/Write attributes – this folder only

Local system

Full control, this folder, subfolders and files

Administrator

Read, this folder only

 

Define device policies, and then click Next.

Encryption policies requires the documents in Work Folders on the client devices to be encrypted with the Enterprise ID. Data encrypted with the Enterprise ID will have a different key from the EFS key which is used to encrypt personal documents on the same device. The separation allows the admin to wipe only the Work Folders data, while preserve the personal data on the device.

The password policy enforces the following configuration on user PCs and devices:

  • Minimum password length of 6
  • Autolock screen set to be 15 minutes or less
  • Maximum password retry of 10 or less

If the device doesn’t meet the policy, user will not be able to configure the Work Folders.

The policy enforcement on the client devices is not in the Preview release. It will be in the RTM release.

Check the sync share settings, and click Create.

Using PowerShell cmdlet

PS C:\>New-SyncShare SalesShare –path C:\SalesShare –User Contoso\Sales -RequireEncryption $true –RequirePasswordAutoLock $true

Enable SMB access

If you want to enable the sync share for SMB access, you can open the Windows Explorer, and navigate to the “This PC” location. Right click on the “SalesShare” folder, and select “Share with” -> “Specific people”. Add Contoso\Sales and change the permission level to “Read/Write”, as shown below:

clip_image020

Complete the UI by clicking on “Share” button.

Now user can also access the dataset through UNC path.

Once the server is enabled for SMB access, server will check for data changes every 5 minutes by default. You can change the enumeration time by running the following cmdlet on the server:

PS C:\> Set-SyncServerSetting -MinimumChangeDetectionMins <NumberInMinutes>

It increases the server load each time the server enumerates files to detect changes, on the other hand, the changes done locally on the server or through SMB can only be detected at each enumeration time. It is a balance act to tolerate change detection delay and the load server can handle. Enumeration gets more expensive as the number of files increases under the user folder. If you want to decrease the setting, make sure you test it on the server in your environment first. We are currently evaluating the enumeration performance, and will post guidance in the area later. If you don’t want users to change files directly on the server or through SMB or NFS, you should consider disable running ChangeDetection on the server.

Client setup

Since we prepared 2 VMs as the client machines, you will need to repeat the following setup on both client machines.

Lab testing specific settings

Caution: The following regkey settings are only for lab testing, and should not be configured in production environment.

    1. Allow unsecure connection

By default, client always connect to the server using SSL, which requires the server to have SSL certificate installed and configured. In lab testing, you can configure the client to use http by running the following command on the client:

Reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WorkFolders /v AllowUnsecureConnection /t REG_DWORD /d 1

Running unsecure connection is not recommended, and a follow up post will illustrate the procedures to configure certificate on the server.

  1. Converting from Email address to Server Url

When user enters the email address, such as Jane@contoso.com, the client will construct the Url as https://WorkFolders.contoso.com, and use that Url to communicate with the server. In production environment, you will need to publish the Url for the client to communicate to the server through reverse proxy. In testing, we’ll bypass the Url publication by configure the following regkey:

Reg add HKCU\Software\Microsoft\Windows\CurrentVersion\WorkFolders /v ServerUrl /t REG_SZ /d http://syncSvr.contoso.com

With this key set, the client will bypass the email address user entered, and use the Url in the regkey to establish the sync partnership.

Also note that, this key will not be present in the RTM release.

WorkFolders setup

Steps

Screenshots

Description

User can find the setup link in Control Panel->System and Security->Work Folders

 

 

Provide the user email address, and then click Next.

clip_image022

If the client machine is domain joined, user will not be prompted for credentials.

Specify where to store Work Folders on the device

Users cannot change the Work Folder location in the preview release of Windows 8.1. This will be changed in the final RTM release.

Consent to the device policy, and then click Setup Work Folders.

clip_image024

 

Work Folders is now configured on the device. You can open File Explorer to see Work Folders.

 

clip_image026

 

Once you have configured both client machines, user can access the documents under the Work Folders location from any devices, and the documents will be kept in sync by Work Folders.

Sync in action

To test Work Folders, create a document (using Notepad or any other app) on one of the client machines and save the document under the Work Folders location, also, create a document on the other client machine, save it under the Work Folders. In a few moments, you should see the document get synced on both client machines.

In Preview build, the client will sync with the server if there is any changes locally under the Work Folder, and when the client connects to the server, the server will also notify the client for any changes on the server. If client doesn’t have anything changed locally on the client, it will connect to the server every 10 minutes asking for any changes on the server. You can trigger a sync action by creating or modifying a file on the device under the Work Folders.

Since the sync location was also enabled with SMB access, user can also view the data on computers without Work Folders by typing the UNC path in the explorer:

clip_image028

Conclusion

I hope this blog post helps you get started with Work Folders in your test labs. If you have questions not covered here, please raise it in the comments so that I can address it with upcoming postings. Also, there are some resources on this topic you will find helpful:

Powershell cmdlets references: http://technet.microsoft.com/en-us/library/dn296644(v=wps.630).aspx

- Jane

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • I'm a longtime sys admin working with MS technologies. Currently working with a small business that I migrated to Office 365 last December. We have been waiting to decide on a file storage solution since then. SkyDrive Pro is not working out. When I learned about Work Folders in Server 2012 R2 I thought perhaps our problem had been solved.

    We have also investigated a handful of other cloud file storage services that provide business oriented secure, redundant storage. Some of these allow for SSO with Windows Azure AD.

    I have setup AD in our Windows Azure subscription. The client is hosting a simple website there for about a year. I've successfully used the WAAD/O365 model via Azure to set up the SSO Access Portal for users.

    I've been reviewing Technet presentations, both US and Europe, about Anywhere Access, WAAD, and your own Deep Dive. And of course searching the web high and low for more info on setting up Work Folders.

    posted 2 different questions so far on this subject. MS Forums and Stack Overflow

    social.msdn.microsoft.com/.../work-folders-with-new-2012-r2-server-vm

    stackoverflow.com/.../windows-server-2012-r2-work-folders-on-azure-vm

    So far I've set up an Azure VM with the Windows Server 2012 R2 preview image. I added the Windows Server Essentials Experience to simplify integration with our O365 WAAD. This is working. I had already set up Work Folders and have been able to set up a sync share using account info from WAAD. I have a Windows 8.1 preview client set up for testing.

    I'm stuck on how to set up DNS for a user address to connect to Work Folders running on this Azure VM. Or to even provide a URL. I've never designed endpoints or vpn for an Azure VM.

    To keep this simple, I was hoping to be able to just set up one Azure VM that could be tested as a replacement file server for our aging on-prem Windows 2003 server that contains about 80gb of storage, rough count is 82k of files. I have already set up Windows Azure backup and test run a backup/restore.

    I guess I have many of the pieces in place, but the last step, making it accessible to the Windows 8.1 client is eluding me.

    I believe this is probably a common enough use-case scenario that MS would want to address it.

  • Thanks Bill for the question. I'm working on a blog to set up something similar to what you have described. Expect a follow up in a couple of weeks.

  • I added two more clarifying comments in the past couple of days but they are not showing up. Hopefully the moderator will get on this and allow them to display. I'm also posting to the Win2012 R2 General forum in case my comments are being deleted/lost.