User Home Folders

[glenimp617]

Hi Everyone,

Just wondered what everyone else is going with their users home drives?

Let's say a company with 5,000 employees gives their users 10gb each. That's 50tb in total. Ignoring data dedupe and the like I'm interested in how you are provisioning the storage and serving it to users.

Obviously creating a 50tb volume and sharing it out is a big no no. If the volume needed a chkdsk or simply failed and needed restoring it would take ages. San snapshots are in place for cyber attacks already.

Currently we have a large file server farm under a DFSN share. Each file server has multiple 2tb volumes with departments living on each. There is also DFSR enabled for various departments replicated to a secondary data centre.

Example

FILESERVER1

D:\Marketing
E:\Finance

FILESERVER2

D:\HR
E:\Facilities

so all the users in marketing get their home drives within the marketing folder. The issue is one company has a huge turn over of staff and they often change departments. This is an issue when their data then finds itself in the wrong department.

Ideally I'd like to merge all user data together, but don't want a huge volume, nor add to any admin burden

any tips?

 

[El Pew]

For the actual file server itself you could look at something like Microsoft's Scale Out File Server approach which allows you to simply add new nodes to increase your storage size. Then you would define shares like "\\files\HR", "\\files\Marketing" etc and they would automagically be provisioned across all the nodes giving you resilience across them.

To manage joiner/mover/leaver processes you would simply have access to those shares defined by AD groups, then you would use an identity management system to manage membership of those groups by taking a feed of user data direct from HR. If the HR system says someone has changed roles, they automatically are removed from groups that are no longer relevant and added to the ones that are. Microsoft MIM does this but there are other solutions like Sailpoint and Oracle OIM which are better. All IDM solutions take a lot of design and configuration, it's a significant project.

 

[glenimp617]

Thanks for your reply. What you have suggested is pretty much what we are already doing. Kinda thought in this day and age there would be a better solution. The project was designed and implemented by myself a couple of years ago but now have a bit of free time I'm looking to make some improvements.

 

[GDL]

Move the home folders out of the a departmental structure into the own areas.
\\Server1\Homefolders\%username%

We do it by physical branch location

\\Server1\Birmingham\HomeFolders\%username%
\\Server1\Southampton\HomeFolders\%username%

Then you have another area for Departmental data

\\Server1\HR\

 

[Showboat]

Check out Microsofts cloud offering:

https://azure.microsoft.com/en-us/blog/announcing-the-public-preview-for-azure-file-sync/

No idea about the cost, but the concept is pretty neat.

 

[Quartz]

Have you thought through permissions issues?

Do you allow people to have access to others' home drives? E.g. secretary & boss or boss & employee who's left. If so, I suggest you resist the temptation to assign them directly but create groups instead (e.g. u_%username%). This makes management much easier. You can refine it to add read-only, read-write, etc.

 

[glenimp617]

Move the home folders out of the a departmental structure into the own areas.
\\Server1\Homefolders\%username%

We do it by physical branch location

\\Server1\Birmingham\HomeFolders\%username%
\\Server1\Southampton\HomeFolders\%username%

Then you have another area for Departmental data

\\Server1\HR\

I've thought about that, but we only have two huge sites

 

[glenimp617]

Have you thought through permissions issues?

Do you allow people to have access to others' home drives? E.g. secretary & boss or boss & employee who's left. If so, I suggest you resist the temptation to assign them directly but create groups instead (e.g. u_%username%). This makes management much easier. You can refine it to add read-only, read-write, etc.

We would never allow that. Permissions are 100% perfect

 

[Quartz]

We would never allow that. Permissions are 100% perfect

Another reason for implementing groups on home directories is security: it allows first-line support to change the groups' memberships without giving them permissions to home directories.

 

[glenimp617]

Another reason for implementing groups on home directories is security: it allows first-line support to change the groups' memberships without giving them permissions to home directories.

Yeah that was all done during the file server project

I think the original solution was correct, we just need a small finishing piece to perfect it. It's going to almost certainly involve some kind of automation (be it MIM or even some powershell/vbs)

 

[ecksmen]

For the actual file server itself you could look at something like Microsoft's Scale Out File Server approach which allows you to simply add new nodes to increase your storage size. Then you would define shares like "\\files\HR", "\\files\Marketing" etc and they would automagically be provisioned across all the nodes giving you resilience across them.

To manage joiner/mover/leaver processes you would simply have access to those shares defined by AD groups, then you would use an identity management system to manage membership of those groups by taking a feed of user data direct from HR. If the HR system says someone has changed roles, they automatically are removed from groups that are no longer relevant and added to the ones that are. Microsoft MIM does this but there are other solutions like Sailpoint and Oracle OIM which are better. All IDM solutions take a lot of design and configuration, it's a significant project.

SOFS is NOT recommended for user data, such as folder redirection due to the metadata updates and constant referals between the volume owner and the redirection. It's recommned instead to use "General Use File Server Cluster" for this work load.