Step-By-Step: Creating a Work Folders Test Lab
Deployment in Windows Server 2012 R2
As
mentioned in our BYOD Basics series post, Enabling Modern Work Styles Using Windows
Server 2012 R2, several new capabilities
have been introduced into Windows Server 2012 R2 intended to
enable organizations to further embrace BYOD. Microsoft's push for
People-centric IT (PCIT), a new initiative introduced by Microsoft
referring to the added BYOD capabilities, helps people in
organizations achieve secure access to their apps and data on any of their
devices in any location. Work Folders is one of the new features
introduced in Windows Server 2012 R2 enabling PCIT
functionality. Work folders enables users access to their work
related files on the devices configured, regardless if the device
is joined to a domain or not and/or the device is connected directly
to the company's private LAN or over the internet.
With
the recent release of Windows Server 2012 R2, we at #CANITPRO thought it
would be prudent to updateJane
Yan's lab regarding
Work Folders. Thus the post of this Step-By-Step on how to create a work
folders test lab deployment in Windows Server 2012 R2 was created.
Step 1: Getting
Started
3.
Setup you
test lab by creating the following computers or VMs
o Active Directory Domain Services domain
controller (DC)
o File server running Windows Server 2012 R2
o 2 client PCs running Windows 8.1 or Windows RT
8.1 (to observe documents sync between 2 devices)
VM setup
Step 2: Configure
Network
1.
In the Hyper-V Manager
console, create a Virtual Switch marked as Private.
2.
Configure the VMs to
use the Private network.
Step 3: DC setup
1.
Create a VM using
Windows Server 2012 R2
2.
Rename the VM to DC.
3.
Configure the IP of
the server as 10.10.1.10
4.
After the VM setup,
open Server Manager, and then add the following roles:
o Active Directory Domain Services
o DHCP Server (Note: this role is optional. You can also
configure static IP for each VM without enabling DHCP)
o DNS Server
5.
Complete the wizard,
then click on promote DC link “Promote this server to a domain controller”
6.
Use the wizard to
create a new forest as “Contoso.com”, and configure the DC appropriately.
7.
Add a new scope in
DHCP, such that other machines on the network can get IP address automatically.
Note: this is optional, you can also manually configure other machines with
static IP.
Step 4: Server setup
1.
Create a VM using
Windows Server 2012 RS.
2.
Rename the VM to SyncSvr.
3.
Join the SyncSvr machine
to the domain Contoso.com
Step 5: Client setup
1.
Create 2 VMs using
Windows 8.1
2.
Rename VM1 to OfficePC
3.
Rename VM2 to HomePC
4.
Join OfficePC to
the contoso.com domain.
Step 6: User and
Security group creation
Work
Folders can be configured to domain users, you need to create a few test users
in the AD. For testing purposes, let’s create 10 domain users (U1 to U10).
It
is recommend that controlling access to Work Folders through security
groups. Create one group named “Sales”, with scope “Global” and
type “Security”, and add the 10 domain users (U1 to U10) in the Sales
security group.
Step 7: Sync Server
configuration
For
all the operations performed on the server, the UI will be shown through Server
Manager, and followed by the equivalent Windows PowerShell cmdlet.
Enabling the Work
Folders role
Step 8: Using Server
Manager UI
1.
Launch the Server
Manager on SyncSvr.
2.
On the dashboard,
click “Add roles and features”.
3.
Follow the wizard, on
the Server Role selection page, choose Work Folders under
File and Storage Services:
4.
Complete the wizard.
Using PowerShell cmdlet: PS C:\> Add-WindowsFeature FS-SyncShareService
Create Sync Share
Step 9: Using Server
Manager UI
A
sync share is the unit of management on the sync servers. A sync share maps to
a local path where all the user folders will be hosted under, and a group of
users who can access the sync share.
1.
Launch New Sync Share Wizard from Server Manager
2.
Provide the local path where user folders will be created under, type
C:\SalesShare, and then click next.
Note: There are 2
options to specify the local path:
If you have a local path that is configured to be an SMB share,
such as a folder redirection share, you can simply select the first option
“Select by file share”. For example, as the screenshot shown above, I had one
SMB share created on this server, which points to the C:\finshare location. I
can simply enable the path “c:\finshare” for sync by select the first radio
button.
If it is a brand new server, and you only creating sync shares,
you can provide the local path directly in the second option, which is
being demoed in this Step-By-Step.
Creating a sync share simply allows user to access the data hosted
on the file server through the Sync protocol, in addition, the same data set
can be accessed through SMB or NFS. The wizard makes it easy when creating the
sync share, as you can pick the location by either knowing the local path or
through a SMB (or NFS) share name. If you are enabling sync share first to a
local path, I will also illustrate the steps to enable SMB to the same
location, so the legacy client without Work Folders can access the data set
through SMB.
Sync share requires the local path to be hosted on NTFS volumes.
If the local path is created as part of the UI wizard or cmdlet, the
permissions will get inherited from the parent folder by default. After the
wizard completes, additional permissions will be added to the local path to
ensure users assigned to the sync share can create/access the folder/files
under the user folder. The table below shows the minimum NTFS permissions
required on the local path, and will be configured by the sync share creation:
User account
|
Minimum permissions required
(configured by Sync Share setup)
|
Creator/Owner
|
Full control, subfolders and files
only
|
Security group of users needing
sync to the share
|
List Folder/Read data, Create
Folders/Append data, Traverse folder/execute file, Read/Write attributes –
this folder only
|
Local system
|
Full control, this folder,
subfolders and files
|
Administrator
|
Read, this folder only
|
Additional permissions may present on the local path as a result
of inheritance, you need to make sure the user accounts listed in the table
have the correct permissions after the sync share is created.
3.
Select the user folder format, choose the default user alias, and click Next.
Note: There are 2
options you can select from the UI:
Options
|
View
in Explorer
|
Using user alias. This is selected by default, and it is
compatible with other technologies such as folder redirection or home
folders.
|
|
Using alias@domain. This option ensures the uniqueness of the
folder name for users across domains.
|
|
Sync only the following subfolder: By default, all the folders/files under the user
folder will be synced to the devices. This checkbox allows the admin to specify
a single subfolder to be synced to the devices. For example, the user folder
might contain the following folders as part of a Folder Redirection deployment:
Admin can choose a subfolder “Document” as the folder to be synced
to devices, and leaving other folders still functioning with Folder
redirection. To do so, check “Sync only the following subfolder”
4.
Provide the sync share name and description (optional), and click Next
5.
Assign security groups for sync share access by clicking the Add button
and entering the Sales security group (created in section User
and Security group creation). Then click Next
Note: By default, the
admin will not be able to access the user data on the server. If you want to
have admin access to user data, uncheck the “Disable inherited permissions
and grant users exclusive access to their files” checkbox.
6.
Define device policies, and then click Next.
Note: Encryption
policies request that the documents in Work Folders on the client devices be
encrypted with the Enterprise ID. The Enterprise ID by default is the user
primary SMTP email address, (aka proxyAddresses of the user object in AD).
Using a different key to encrypt Work Folders ensures that personal documents
on the same device are preserved if an admin wipes Work Folders on the device
(for example, if the device is stolen).
The password policy enforces the following configuration on user
PCs and devices:
- Minimum password length of 6
- Autolock screen set
to be 15 minutes or less
- Maximum password
retry of 10 or less
If the device doesn’t meet the policy, user will not be able to
configure the Work Folders.
7.
Check the sync share settings, and click Create.
Using PowerShell cmdlet: PS C:\>New-SyncShare SalesShare –path C:\SalesShare –User
Contoso\Sales -RequireEncryption $true –RequirePasswordAutoLock $true
Enable SMB access
If
you want to enable the sync share for SMB access, you can open the Windows
Explorer, and navigate to the “This PC” location. Right click on the
“SalesShare” folder, and select “Share with” -> “Specific people”. Add Contoso\Sales
and change the permission level to “Read/Write”, as shown below:
Complete
the UI by clicking on “Share” button.
Now
user can also access the dataset through UNC path.
Note: Once the server
is enabled for SMB access, server will check for data changes every 5 minutes
by default. You can decrease the enumeration time (such as to 1 minute) by
running the following cmdlet on the server:
PS C:\>
Set-SyncServerSetting -MinimumChangeDetectionMins 1
It increases the server load each time the server enumerates files
to detect changes, on the other hand, the changes done locally on the server
through SMB can only be detected at each enumeration time. It is a balance act
to tolerate change detection delay and the load server can handle.
Client setup
Since
we prepared 2 VMs as the client machines, you will need to repeat the following
setup on both client machines.
Step 10: Lab testing
specific settings
Caution: The following regkey settings are only for lab
testing, and should not be configured on any production servers.
1.
Allow unsecure connection
By
default, client always connect to the server using SSL, which requires the
server to have SSL certificate installed and configured. In lab testing, you
can configure the client to use http by running the following command on the
client:
Reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WorkFolders /v
AllowUnsecureConnection /t REG_DWORD /d 1
2. Converting from
Email address to Server Url
When
user enters the email address, such as Jane@contoso.com, the client will construct the Url ashttps://WorkFolders.contoso.com, and use that Url to communicate with the
server. In production environment, you will need to publish the Url for the
client to communicate to the server through reverse proxy. In testing, we’ll
bypass the Url publication by configure the following regkey:
Reg add HKCU\Software\Microsoft\Windows\CurrentVersion\WorkFolders /v
ServerUrl /t REG_SZ /d http://syncServer.contoso.com
With
this key set, the client will bypass the email address user entered, and use
the Url in the regkey to establish the sync partnership.
Also note that, this key will not be present in the RTM release.
3.
Change the client polling frequency
By
default, client device will poll for change to the server every 10 minutes if
there is no local changes under the Work Folders. You can configure the
following regkey to speed up the polling to 5 seconds:
Reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WorkFolders /v
PollingInterval /t REG_DWORD /d 5
Step 11: WorkFolders
setup
1. User can find the setup link in Control
Panel->System and Security->Work Folders
2. Provide
the user email address, and then click Next.
Note: If the client
machine is domain joined, user will not be prompted for credentials.
3.
Specify where to store Work Folders on the device
Note: Users cannot
change the Work Folder location in the preview release of Windows 8.1. This
will be changed in the final RTM release.
4.
Consent to the device policy, and then click Setup Work Folders.
Work
Folders is now configured on the device. You can open File Explorer to see Work
Folders.
Once
you have configured both client machines, user can access the documents under
the Work Folders location from any devices, and the documents will be kept in
sync by Work Folders.
Sync in action
To
test Work Folders, create a document (using Notepad or any other app) on one of
the client machines and save the document under the Work Folders location. In a
few moments, you should see the document get synced to the other client machine
Since
the sync location was also enabled with SMB access, user can also view the data
on computers without Work Folders by typing the UNC path in the explorer: