Folder Redirection in Small Business Server 2008
[Today’s post comes to us courtesy of Shawn Sullivan from Commercial Technical Support]
Folder redirection is used to centrally store a user’s documents in a network location that would otherwise be located only on their individual client machine. In SBS environments, administrators use folder redirection as a convenient method to store this information on the server to be included in the normal SBS backup rotation.
Both SBS 2003 and SBS 2008 use Group Policy to accomplish this; however they differ significantly in their method. While SBS 2003 links a folder redirection GPO at the domain level and applies to all authenticated users, SBS 2008 links its GPO at the SBSUsers Organization Unit and includes only the specific users you assign to it through the SBS console.
Below is the SBS 2003 Small Business Server Folder Redirection GPO. This is created when you configure folder redirection in the Server Management Console and is deleted when you disable it.
Below is the SBS 2008 Small Business Server Folder Redirection Policy GPO. This is created during SBS integrated setup and is never removed.
In an SBS 2003 to SBS 2008 migration scenario, both of these GPOs will be present after the installation of SBS 2008 if folder redirection was previously enabled. As part of the post-migration steps, you will add the desired users to the Windows SBS Folder Redirection Accounts, force group policy update on all clients, and then remove the GPO created by SBS 2003 that is linked at the domain level. Users who are members of the new group will have their data automatically moved from the SBS 2003 machine to the SBS 2008 machine upon their next login. Those users who are not participating in folder redirection will have their data moved back to their local client machine upon their next login. If you attempt to move the data manually or if both SBS servers are not online during this entire process, then you will run into failures (see troubleshooting section below).
Adding Users whose folders will be redirected
There are two locations where you can accomplish this. The first place is under Shared Folders and Websites > Shared Folders > Redirect folder for user accounts to the server
The second is under Users and Groups > Users > Redirect folders for user accounts to the server
Both locations launch the same window where you can choose which folders to redirect (Desktop, Documents, and Start Menu) and for which user accounts. When you do this, the user account is made a member of the Windows SBS Folder Redirection Accounts:
You may receive an informational message reminding you that it may take a few logins to complete the entire redirection process, especially if you are migrating folder redirection settings from SBS 2003:
GPO settings detail
The GPO consists of the following settings:
- A Desktop, My Documents, and Start Menu will be created under \\SERVERNAME\RedirectedFolders\%USERNAME%\ , depending on the selections you made above. This share is physically located in C:\Users\FolderRedirections by default, but can be moved using the Move Users’ Redirected Documents Data wizard
- The contents of Desktop, Documents,and/or Start Menu, if selected for redirection, will be moved to the new location and the user account will have exclusive rights to this directory. Not even the domain administrator will have permissions to other user’s folders without first taking ownership of it.
- The “Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems” is enabled for each folder. This is purely to enable these operating systems to read the configuration file from SYSVOL to apply folder redirection. This is explained in detail in KB 947025.
- A user’s Music, Pictures, and Videos folders will be redirected as subfolders under \\SERVERNAME\RedirectedFolders\%USERNAME%\My Documents. This exists for backwards compatibility with Windows 2000, 2003, and XP since these operating systems store those folders under “My Documents”. For instance, this allows a user to login to a Win7 and an XP machine and maintain the same folder structure on the server. Without this feature, the redirection to the server would not work.
Troubleshooting Folder Redirection problems
The top causes of folder redirection failure are incorrect permissions on the network share, Group Policy deployment failure, and problems with Offline Files.
Permission issues usually originate from manually moving the user’s folder from one location to another, or if the administrator takes ownership of the user’s folder to gain access to the contents. To prevent the first scenario from occurring, use the Move Users’ Redirected Documents Data wizard . A typical error you will receive on the client machine will be something like this:
Event Type: Error
Event Source: Folder Redirection
Event Category: None
Event ID: 102
Description: Failed to perform redirection of folder My Documents. The files for the redirected folder could not be moved to the new location. The folder is configured to be redirected to \\ servername \ sharename \%username%. Files were being moved from C:\Documents and Settings\ user \My Documents to \\ servername \ sharename \ user . The following error occurred: The security descriptor structure is invalid.
If you suspect that you are in this situation, verify the following:
- The redirected user account must have at least Read, Traverse folder, List folder, Read attributes, and Read extended attributes on the actual share \\SERVERNAME\RedirectedFolders. If you cannot open this share from the client machine because you get an “Access Denied”, folder redirection will not work.
- The redirected user account must have Full control and be the Owner of their personal folder \\SERVERNAME\RedirectedFolders\%USERNAME%\ . If not, the GPO will fail to apply to that user upon login.
Group Policy deployment issues
There are numerous potential causes to Group Policy deployment failures, use the checklist below to identify the most common:
- Users must be able to login to the domain from their client machines.
- The server must be able to successfully apply group policy to itself and user/computer accounts.
- Shares must be fully accessible from the server itself and the client.
Note: These first three bullet points are usually caused by network configuration error of the client, server, or both. For the server, run the SBS BPA to identify these issues. On the client, make sure the interface it’s using to communicate with the server has a valid IP address with the correct subnet mask and that it’s using the SBS server as it’s only DNS server.
- Ensure that the correct GPO is applying the Folder Redirection settings. We often see situations where Folder Redirection settings have been incorrectly applied on another GPO at some point in time, usually on the Default Domain or Default Domain Controllers Policy and usually with the wrong settings. Use the Group Policy Results wizard to determine which GPO is applying the settings for the user account in question.
- Ensure the settings in the Small Business Server Folder Redirection GPO are correct according to the “GPO settings detail” section above.
- When migrating from SBS 2003 to SBS 2008, follow the previously mentioned post-migration steps carefully to avoid any confusion in the settings deployed to the client. If the client cannot reach the original network location on the source server before the process is complete, this will fail.
There are certain circumstances that will result in Offline Files preventing the client from reaching network shares on the server. One such issue that we run into frequently is documented in the following KB article:
274789 The Folder Redirection Feature Does Not Function
Usually the resolution to these cases is to reset the Offline File cache on the client and logging off and back onto the domain.