Solved

Roaming user profiles on 2nd DC as backup against failure - Server 2008 R2

Posted on 2011-03-08
10
1,500 Views
Last Modified: 2012-05-11
Windows Server 2008 R2 domain with roaming user profiles.  Group Policy specifies that roaming profiles get stored on Server1, a domain controller.  I have a second domain controller that's also a Global Catalog to provide protection should Server1 fail.  Server2 also has a copy of DNS.

Question: how can I provide a backup for the roaming user profiles on Server2?  I'd like to keep it in sync with Server1 so that in the case of a failure, users will just get authenticated by Server2 and have a copy of their user profile there so they can just keep working away.  Is there a way to configure the policy to keep a copy on both servers?
0
Comment
Question by:pcspcs
  • 4
  • 3
  • 3
10 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35086147
You need to use DFS replication to keep the files in sync, and use DFS namespace to redirect users from one server to another. You will also need to change the roaming profile path to use the DFS path, ie \\domain.local\dfs\profiles\%username% . The DFS root needs to be hosted on both domain controllers, and as they are probably in the same location, I would only enable the DFS link to 1 server at a time to prevent clients from connecting to both servers at the same time and causing replication issues. I would also look at doing folder redirection to cut down on the amount of data that gets copied across the network during logon and logoff. For example, My Documents could be redirected to \\domain.local\dfs\users\%username%\My Documents .
0
 
LVL 2

Expert Comment

by:matyke
ID: 35086207
Hi,

you can use DFS to replicate data between these 2 servers, but using dfs namespace to store for roaming profiles is not recommended and not supported. But if you need to have backup of roaming profiles, you can point roaming profiles to first DC server, configure DFS replication  to do replication  to another DC (in this case one-way, since users are not pointed to dfs namespace) and in case of failure you need to reconfigure group policy to point roaming profiles to other location on second DC. But this is not automatic failover, you need to do manual switchover.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35086722
@matyke, why can't DFS namespace be used and have active links to only 1 server? That isn't really any different in useage from not using DFS, except for the fact that it is possible to change the active link to another server without having to change a GPO, reboot the clients, etc.
0
 

Author Comment

by:pcspcs
ID: 35090021
Yes matyke, please do fill us in.  I'd like to know as much as possible before diving into this one.  Kevinhsieh, have you done this setup on multiple networks and never experienced an issue with it?
0
 
LVL 2

Expert Comment

by:matyke
ID: 35093464
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35098286
What I am proposing is more like Scenario 1B: DFS Namespace is configured – single link target or 2A, link target disabled. I really don't see the difference between 1B and 2A link target disabled, because either way you still have a possible problem with stale data, but considering the fact that both servers are on the same LAN and we are talking about what happens if a server goes down, you have both the fact that data will be as up to date as possible and if the primary server really goes down for a while and you need to get back up and running, you are making the judgement call that you may lose some very recent changes to the profile (that are probably lost anyway) and that it acceptable in order to get back to operations.

I have no personal reservations about having a namespace and using disabled links to everything other than the primary target.
0
 
LVL 2

Expert Comment

by:matyke
ID: 35098595
I think this can work  and can be solution for pcspcs.

I'm using DFS for normal office data (excel, word, etc...) didn't use it for roaming profiles.
0
 

Author Comment

by:pcspcs
ID: 35124631
I'm thinking this might be a good solution whether I have to change the GPO or not because there is VERY little information changing or being written to the user profiles in my scenario.  You see, we run a hosting service for an application we sell whereby users login via a thin client call Graphon Go-Global (similar to Citrix) that processed logins as remote users, including applying GPO.  Users don't have access to save to a My Documents area, but simply use the application which accesses their database stored on our server.  The only thing in the user profiles we need are some registry settings which keep track of their application preferences.

With that in mind, I'm concerned about the switchover, especially in regards to maintaining proper permissions to the profile folders.  I read through some tutorials where it looks like the setup allows you to choose some pre-configured options for permissions, or custom permissions.  I don't want to have to manually assign them to folders for 200 users.

I'm also wondering about the automatic creation and permissions assignments that happen when I add new users to Active Directory.

Any ideas on this?

Do I understand that on the DFS Root server I'll actually have all the profile folders twice:  once as the DFS version that gets synced and once as the source?

Even though this sound like it will work, I do admit that sounds like this is not what DFS is intended for.  If that's true, then how to other people protect user data stores in user profiles (primarily the local user registry) with roaming profiles?  
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 35125618
The DFS namespace server only has links to the shared folders. It doesn't necessarily have any of the folders themselves, unless it happens to be one of the namespace link targets.

Replication setsup and maintains all folder and permissions, so you don't have to worry about that. It's also the same process when you add a new user as you currently have, just that the profile path will be a little different.

I think that this will totally work for you case. Just when you setup the namespace and you create the links to your failover server, disable the link in the DFS namespace so that it doesn't get used. Only enable it when necessary.

The other option would be to cluster a file server or use a highly available NAS device. Clustering a server would require two Windows Enterprise licenses and an iSCSI, FC, or eSATA SAN.
0
 

Author Closing Comment

by:pcspcs
ID: 35148874
This sounds like the solution that will work for me.  A cluster is not an option here since we're renting these servers at a large data center where those options are out of reach.  I'll go ahead and accept this as the solution even though we've not yet implemented it because it might be some time before we can do so.  Thanks.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
GPO for OU 2 41
Roaming Profiles 8 62
SQL Server Reporting Services Service Start Timeout 4 21
Problem with Powershell 15 0
Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now