Suggestion for international roaming profiles

Posted on 2014-09-09
Last Modified: 2014-09-16

I work for an organisation with a global workforce. Many of the users frequently travel internationally and for extended periods. Historically we've had all travelling staff, regardless of their location, login into a single site/office (let's call is Site B) to access corporate systems and data. This has often meant poor connection speeds due to some locations having poor comms services. We've recently extended our Active Directory infrastructure to multiple countries and have duplicated a number of services and select data, with the intent being to direct users to the closest site.

The challenge we're having is with roaming profiles and logon performance. (FYI: As staff are often away from the office, we use roaming profiles.) The user's AD profile, documents etc is located in Site B. Currently, when a user logs into Site A or Site C their profile etc in Site B is used, causing very slow login speeds.

I had initially thought of using DFS to replicate all profiles across AD sites. The catch is, according to MS and a stack of forums, DFS doesn't support this model. I tried it anyway and it (DFS) didn't handle it very well. There were far too many reads/writes for it to keep up with.

What I want to achieve is for each user's profile etc to be located in each site. Does anyone have a suggestion on how to achieve this?

Question by:AVIVOL
  • 3
  • 2
LVL 24

Accepted Solution

Coralon earned 500 total points
ID: 40316135
The key is to get away from roaming profiles in your situation.

Ideally, if you can, give them home directories (or a personal directory -- home directory has some specific implications to the system) on DFS, and then use folder redirection to push a lot of the important folders into those replicated directories.  You should eliminate most of your issues that you are experiencing now.


Author Comment

ID: 40324510
Coralon, just one quick follow up question. Are you saying that a User's AD account shouldn't have anything configured under either the Profile or RDS Profile tab? If so, how do you ensure the user's experience is consistent when logging in from different sites? Folder like AppData will surely have to "follow" the user, correct?
LVL 24

Expert Comment

ID: 40327142
You have options for the profiles.  

If you want to use the user's profile tab you can, you will simply point it to the DFS path.. typically something like \\domain.tld\UserProfiles\%username%.  You can also assign it by GPO.. either one will work.  When they connect to the DFS share, They will be connected to the closest share based on their Site settings.    DFS will replicate the directories around.

Now, the other piece of this is the folders you redirect..  You'll redirect things like My Documents and it's children (my videos, my pictures, etc.).  Now, the tricky part is ApplicationData.  That will absolutely require testing with your applications.  Some applications will tolerate it, some won't.  (I've have more that won't tolerate it than will :-\).   The primary issue with redirecting appdata is that performance may suffer depending on how your applications use it.

My own experience has been that appdata really is not super-critical for many applications, and some of the items that are in there, you could more easily script a copy up on logoff and copy down on login to the redirected home directory.  For example - Microsoft Signatures for Outlook.  They are in %appdata%\microsoft\signatures, and scripting them up & down works perfectly well.    

And since your home directories/redirected folders are on DFS, they will replicate everywhere that you let them keeping them local.

If you're willing to spend a little bit of money, you might want to look at Immidio with their Flex Profiles.  In a nutshell, they store the setting in one (or possibly more) zip files that are stored in a configurable location, then you use scripts to save them and write them back up.  (It looks like they really only handle the registry settings.. but the files in the profile may be configurable?)


Author Comment

ID: 40327147
But DFS doesn't support the replication of user Profiles. That was the initial issue I was wanting to resolve via this post. The rate/volume of changes to a user's Profile are too great for DFS to support.

It sounds like I'm back to square one, unless I'm misreading your advice on this.
LVL 24

Expert Comment

ID: 40327159
Correct.. you aren't replicating the entire profile.. just *pieces* of the profile.  And you are not pointing a live profile @ DFS.  The ntuser.dat is not being handled by DFS, which is a big part of why MS doesn't support it.  

The other big issue is MS does not handle having the profile being loaded & replicated from different locations at the same time.. they will step on each other and cause problems.  

With these pieces, you are replicating just plain files (folder redirection).  The actual profiles will be local to the machines they are running from.  (I misstated in the earlier post -- you won't point *anything* in GPO's or in the user's tab).   All you will do is use your GPO's for folder redirection and that's it.  

Sorry about that..


Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Import groups from "Member Of" of user to a notepad. 4 49
Need to disable SSL Cipher 7 69
powershell question need assistance 10 32
get bulk group members list in CSV 15 28
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question