部署工作資料夾Deploying Work Folders

適用於:Windows Server (半年度管道)、Windows Server 2016、Windows Server 2012 R2、Windows 10、Windows 8.1、Windows 7Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows 10, Windows 8.1, Windows 7

本主題討論部署工作資料夾所需的步驟。This topic discusses the steps needed to deploy Work Folders. 我們假設您已經閱讀過規劃工作資料夾部署It assumes that you've already read Planning a Work Folders deployment.

若要部署工作資料夾,過程中可能會涉及多個伺服器和多項技術,請使用下列步驟來完成。To deploy Work Folders, a process that can involve multiple servers and technologies, use the following steps.

提示

最簡單的工作資料夾部署是單一檔案伺服器 (通常稱為同步伺服器),但不支援透過網際網路同步,這對於測試實驗室是實用的部署,或者可以做為加入網域之用戶端電腦的同步解決方案。The simplest Work Folders deployment is a single file server (often called a sync server) without support for syncing over the Internet, which can be a useful deployment for a test lab or as a sync solution for domain-joined client computers. 若要建立簡單部署,至少需要遵循下列幾個步驟:To create a simple deployment, these are minimum steps to follow:

  • 步驟 1:取得 SSL 憑證Step 1: Obtain SSL certificates
  • 步驟 2:建立 DNS 記錄Step 2: Create DNS records
  • 步驟 3:在檔案伺服器上安裝工作資料夾Step 3: Install Work Folders on file servers
  • 步驟 4:在同步伺服器上繫結 SSL 憑證Step 4: Binding the SSL certificate on the sync servers
  • 步驟 5:建立工作資料夾的安全性群組Step 5: Create security groups for Work Folders
  • 步驟 7:建立使用者資料的同步共用Step 7: Create sync shares for user data

步驟 1:取得 SSL 憑證Step 1: Obtain SSL certificates

工作資料夾會使用 HTTPS 安全地在工作資料夾用戶端與工作資料夾伺服器之間同步處理檔案。Work Folders uses HTTPS to securely synchronize files between the Work Folders clients and the Work Folders server. 工作資料夾使用的 SSL 憑證需求如下:The requirements for SSL certificates used by Work Folders are as follows:

  • 憑證必須由受信任的憑證授權單位發出。The certificate must be issued by a trusted certification authority. 對於大部分的工作資料夾實作,建議使用公用信任的 CA,因為憑證會由未加入網域、以網際網路為基礎的裝置使用。For most Work Folders implementations, a publicly trusted CA is recommended, since certificates will be used by non-domain-joined, Internet-based devices.

  • 憑證必須是有效的。The certificate must be valid.

  • 憑證的私密金鑰必須可以匯出 (因為您需要在多個伺服器上安裝憑證)。The private key of the certificate must be exportable (as you will need to install the certificate on multiple servers).

  • 憑證的主體名稱必須包含公用工作資料夾 URL,用來在網際網路上探索工作資料夾服務;它的格式必須是 workfolders.<domain_name>The subject name of the certificate must contain the public Work Folders URL used for discovering the Work Folders service from across the Internet – this must be in the format of workfolders.<domain_name>.

  • 主體別名 (SAN) 必須顯示在憑證上,列出每個使用中的同步伺服器的伺服器名稱。Subject alternative names (SANs) must be present on the certificate listing the server name for each sync server in use.

    工作資料夾憑證管理部落格提供有關使用憑證和工作資料夾的資訊。The Work Folders Certificate Management blog provides additional information on using certificates with Work Folders.

步驟 2:建立 DNS 記錄Step 2: Create DNS records

若要允許使用者透過網際網路進行同步,您必須在公用 DNS 中建立主機 (A) 記錄,以便允許網際網路用戶端解析工作資料夾 URL。To allow users to sync across the Internet, you must create a Host (A) record in public DNS to allow Internet clients to resolve your Work Folders URL. 這個 DNS 記錄應該解析至反向 Proxy 伺服器的外部介面。This DNS record should resolve to the external interface of the reverse proxy server.

在您的內部網路上,於 DNS 命名的工作資料夾中建立 CNAME 記錄,其解析到工作資料夾伺服器的 FDQN。On your internal network, create a CNAME record in DNS named workfolders which resolves to the FDQN of a Work Folders server. 當工作資料夾用戶端使用自動探索時,用來找出工作資料夾伺服器的 URL 為 https://workfolders.domain.com。如果您打算使用自動探索,工作資料夾 CNAME 記錄必須存在於 DNS 中。When Work Folders clients use auto discovery, the URL used to discover the Work Folders server is https://workfolders.domain.com. If you plan to use auto discovery, the workfolders CNAME record must exist in DNS.

步驟 3:在檔案伺服器上安裝工作資料夾Step 3: Install Work Folders on file servers

您可以使用伺服器管理員或 Windows PowerShell,在本機或透過網路從遠端,於加入網域的伺服器上安裝工作資料夾。You can install Work Folders on a domain-joined server by using Server Manager or by using Windows PowerShell, locally or remotely across a network. 如果您要在網路上設定多個同步伺服器,這個方法很有用。This is useful if you are configuring multiple sync servers across your network.

若要在伺服器管理員中部署角色,請執行下列動作:To deploy the role in Server Manager, do the following:

  1. 啟動 [新增角色及功能精靈]Start the Add Roles and Features Wizard.

  2. [選取安裝類型] 頁面上,選擇 [角色型或功能型部署]On the Select installation type page, choose Role-based or feature-based deployment.

  3. [選取目的地伺服器] 頁面上,選取您想要在上面安裝工作資料夾的伺服器。On the Select destination server page, select the server on which you want to install Work Folders.

  4. [選取伺服器角色] 頁面上,依序展開 [檔案和存放服務][檔案和 iSCSI 服務],然後選取 [工作資料夾]On the Select server roles page, expand File and Storage Services, expand File and iSCSI Services, and then select Work Folders.

  5. 系統詢問您是否要安裝 [可裝載 IIS 的 Web 核心] 時,按一下 [確定],即可安裝工作資料夾所需的網際網路資訊服務 (IIS) 的最低版本。When asked if you want to install IIS Hostable Web Core, click Ok to install the minimal version of Internet Information Services (IIS) required by Work Folders.

  6. [下一步],直到完成精靈為止。Click Next until you have completed the wizard.

若要使用 Windows PowerShell 來部署角色,請使用下列 Cmdlet:To deploy the role by using Windows PowerShell, use the following cmdlet:

Add-WindowsFeature FS-SyncShareService  

步驟 4:在同步伺服器上繫結 SSL 憑證Step 4: Binding the SSL certificate on the sync servers

工作資料夾會安裝可裝載 IIS 的 Web 核心,它是 IIS 元件,是專為不需要完整安裝 IIS 的情況下啟用 Web 服務所設計的。Work Folders installs the IIS Hostable Web Core, which is an IIS component designed to enable web services without requiring a full installation of IIS. 安裝可裝載 IIS 的 Web 核心之後,應該將伺服器的 SSL 憑證繫結至檔案伺服器上的預設網站。After installing the IIS Hostable Web Core, you should bind the SSL certificate for the server to the Default Web Site on the file server. 不過,可裝載 IIS 的 Web 核心不會安裝 IIS 管理主控台。However, the IIS Hostable Web Core does not install the IIS Management console.

將憑證繫結至預設網站介面有兩個選項。There are two options for binding the certificate to the Default Web Interface. 若要使用任一選項,您必須將憑證的私密金鑰安裝到電腦的個人存放區。To use either option you must have installed the private key for the certificate into the computer's personal store.

  • 在已經安裝的伺服器上利用 IIS 管理主控台。Utilize the IIS management console on a server that has it installed. 從主控台內,連線到您想要管理的檔案伺服器,然後為該伺服器選取預設網站。From within the console, connect to the file server you want to manage, and then select the Default Web Site for that server. 預設網站會顯示已停用,但是您仍然可以編輯網站的繫結,並選取憑證以繫結至該網站。The Default Web Site will appear disabled, but you can still edit the bindings for the site and select the certificate to bind it to that web site.

  • 使用 netsh 命令,將憑證繫結至預設網站 https 介面。Use the netsh command to bind the certificate to the Default Web Site https interface. 命令如下所示:The command is as follows:

    netsh http add sslcert ipport=<IP address>:443 certhash=<Cert thumbprint> appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY
    

步驟 5:建立工作資料夾的安全性群組Step 5: Create security groups for Work Folders

建立同步共用之前,Domain Admins 或 Enterprise Admins 群組的成員需要在 Active Directory Domain Services (AD DS) 中為工作資料夾建立一些安全性群組 (他們也需要如步驟 6 中所述委派一些控制權)。Before creating sync shares, a member of the Domain Admins or Enterprise Admins groups needs to create some security groups in Active Directory Domain Services (AD DS) for Work Folders (they might also want to delegate some control as described in Step 6). 您所需的群組如下:Here are the groups you need:

  • 一個各個同步共用的群組,指定哪些使用者允許與同步共用進行同步One group per sync share to specify which users are allowed to sync with the sync share

  • 一個所有工作資料夾系統管理員所屬的群組,以便他們在每個連結使用者至正確同步伺服器 (如果要使用多個同步伺服器的話) 的使用者物件上編輯屬性。One group for all Work Folders administrators so that they can edit an attribute on each user object that links the user to the correct sync server (if you're going to use multiple sync servers)

    群組應該遵循標準命名慣例而且只用於工作資料夾,以避免產生與其他安全性需求的可能衝突。Groups should follow a standard naming convention and should be used only for Work Folders to avoid potential conflicts with other security requirements.

    若要建立適當的安全性群組,請多次使用下列程序:一次是針對每個同步共用,一次是選擇性的為檔案伺服器系統管理員建立群組。To create the appropriate security groups, use the following procedure multiple times – once for each sync share, and once to optionally create a group for file server administrators.

建立工作資料夾的安全性群組To create security groups for Work Folders

  1. 在已安裝「Active Directory 系統管理中心」的 Windows Server 2012 R2 或 Windows Server 2016 電腦上,開啟 [伺服器管理員]。Open Server Manager on a Windows Server 2012 R2 or Windows Server 2016 computer with Active Directory Administration Center installed.

  2. [工具] 功能表上,按一下 [Active Directory 系統管理中心]On the Tools menu, click Active Directory Administration Center. [Active Directory 系統管理中心] 隨即顯示。Active Directory Administration Center appears.

  3. 在想要建立新群組的容器上按滑鼠右鍵 (例如,適當網域或 OU 的使用者容器),按一下 [新增],然後按一下 [群組]Right-click the container where you want to create the new group (for example, the Users container of the appropriate domain or OU), click New, and then click Group.

  4. [建立群組] 視窗內的 [群組] 區段中,指定下列設定:In the Create Group window, in the Group section, specify the following settings:

    • [群組名稱] 中,輸入安全性群組的名稱,例如:HR Sync Share Users工作資料夾系統管理員In Group name, type the name of the security group, for example: HR Sync Share Users, or Work Folders Administrators.

    • [群組領域] 中,按一下 [安全性],然後按一下 [全域]In Group scope, click Security, and then click Global.

  5. [成員] 區段中,按一下 [新增]In the Members section, click Add. [選取使用者、連絡人、電腦、服務帳戶或群組] 對話方塊隨即顯示。The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.

  6. 輸入您要授與存取特定同步共用權限的使用者或群組的名稱 (如果您要建立群組來控制同步共用存取),或輸入工作資料夾系統管理員的名稱 (如果您要設定使用者帳戶以自動探索適當同步伺服器),按一下 [確定],然後再按一下 [確定]Type the names of the users or groups to which you grant access to a particular sync share (if you're creating a group to control access to a sync share), or type the names of the Work Folders administrators (if you're going to configure user accounts to automatically discover the appropriate sync server), click OK, and then click OK again.

若要使用 Windows PowerShell 建立安全性群組,請使用下列 Cmdlet:To create a security group by using Windows PowerShell, use the following cmdlets:

$GroupName = "Work Folders Administrators"  
$DC = "DC1.contoso.com"  
$ADGroupPath = "CN=Users,DC=contoso,DC=com"  
$Members = "CN=Maya Bender,CN=Users,DC=contoso,DC=com","CN=Irwin Hume,CN=Users,DC=contoso,DC=com"  

New-ADGroup -GroupCategory:"Security" -GroupScope:"Global" -Name:$GroupName -Path:$ADGroupPath -SamAccountName:$GroupName -Server:$DC  
Set-ADGroup -Add:@{'Member'=$Members} -Identity:$GroupName -Server:$DC

步驟 6 :選擇性將使用者屬性控制項委派給工作資料夾系統管理員Step 6: Optionally delegate user attribute control to Work Folders administrators

如果您要部署多個同步伺服器,希望自動將使用者引導到正確的同步伺服器,就必須更新 AD DS 中每個使用者帳戶上的屬性。If you are deploying multiple sync servers and want to automatically direct users to the correct sync server, you'll need to update an attribute on each user account in AD DS. 不過,這通常需要取得 Domain Admins 或 Enterprise Admins 群組的成員才能更新屬性,如果您需要經常新增使用者或在同步伺服器之間移動使用者的話,很快就會對這種做法感到疲累。However, this normally requires getting a member of the Domain Admins or Enterprise Admins groups to update the attributes, which can quickly become tiresome if you need to frequently add users or move them between sync servers.

因此,Domain Admins 或 Enterprise Admins 群組的成員可能會希望將修改使用者物件之 msDS-SyncServerURL 屬性的能力,委派給您在步驟 5 中建立的工作資料夾系統管理員群組,如下面的程序中所述。For this reason, a member of the Domain Admins or Enterprise Admins groups might want to delegate the ability to modify the msDS-SyncServerURL property of user objects to the Work Folders Administrators group you created in Step 5, as described in the following procedure.

委派編輯 AD DS 中使用者物件上 msDS-SyncServerURL 屬性的能力Delegate the ability to edit the msDS-SyncServerURL property on user objects in AD DS

  1. 在已安裝「Active Directory 使用者和電腦」的 Windows Server 2012 R2 或 Windows Server 2016 電腦上,開啟 [伺服器管理員]。Open Server Manager on a Windows Server 2012 R2 or Windows Server 2016 computer with Active Directory Users and Computers installed.

  2. [工具] 功能表上,按一下 [Active Directory 使用者和電腦]On the Tools menu, click Active Directory Users and Computers. [Active Directory 使用者和電腦] 隨即顯示。Active Directory Users and Computers appears.

  3. 在其中包含工作資料夾所有使用者物件的 OU 上按滑鼠右鍵 (如果使用者儲存於多個 OU 或網域中,請在所有使用者通用的容器上按滑鼠右鍵),然後按一下 [委派控制...]Right-click the OU under which all user objects exist for Work Folders (if users are stored in multiple OUs or domains, right-click the container that is common to all of the users), and then click Delegate Control…. [委派控制精靈] 隨即顯示。The Delegation of Control Wizard appears.

  4. [使用者或群組] 頁面上,按一下 [新增]On the Users or Groups page, click Add… 然後為工作資料夾系統管理員指定您建立的群組 (例如工作資料夾系統管理員)。and then specify the group you created for Work Folders administrators (for example, Work Folders Administrators).

  5. [將委派的工作] 頁面上,按一下 [建立自訂工作來委派]On the Tasks to Delegate page, click Create a custom task to delegate.

  6. [Active Directory 物件類型] 頁面上,按一下 [只有在這個資料夾內的下列物件],然後選取 [使用者物件] 核取方塊。On the Active Directory Object Type page, click Only the following objects in the folder, and then select the User objects checkbox.

  7. [權限] 頁面上,清除 [一般] 核取方塊,選取 [內容特定] 核取方塊,然後選取 [讀取 msDS-SyncServerUrl][寫入 msDS-SyncServerUrl] 核取方塊。On the Permissions page, clear the General checkbox, select the Property-specific checkbox, and then select the Read msDS-SyncServerUrl, and Write msDS-SyncServerUrl checkboxes.

若要使用 Windows PowerShell 委派編輯使用者物件上 msDS-SyncServerURL 屬性的能力,請使用下列使用 DsAcls 命令的範例指令碼。To delegate the ability to edit the msDS-SyncServerURL property on user objects by using Windows PowerShell, use the following example script that makes use of the DsAcls command.

$GroupName = "Contoso\Work Folders Administrators"  
$ADGroupPath = "CN=Users,dc=contoso,dc=com"  

DsAcls $ADGroupPath /I:S /G ""$GroupName":RPWP;msDS-SyncServerUrl;user"  

注意

委派作業在包含大量使用者的網域中執行時可能需要一些時間。The delegation operation might take a while to run in domains with a large number of users.

步驟 7:建立使用者資料的同步共用Step 7: Create sync shares for user data

此時,您已經可以開始指定同步伺服器的資料夾來存放使用者的檔案。At this point, you're ready to designate a folder on the sync server to store your user's files. 這個資料夾稱為同步共用,您可以使用下列程序來建立該資料夾。This folder is called a sync share, and you can use the following procedure to create one.

  1. 如果您還沒有 NTFS 磁碟區可以提供容納同步共用及使用者檔案的可用空間,請建立新的磁碟區並使用 NTFS 檔案系統加以格式化。If you don't already have an NTFS volume with free space for the sync share and the user files it will contain, create a new volume and format it with the NTFS file system.

  2. 在 [伺服器管理員] 中,按一下 [檔案和存放服務],然後按一下 [工作資料夾]In Server Manager, click File and Storage Services, and then click Work Folders.

  3. 在詳細資料窗格的最上方可看到任何現有同步共用的清單。A list of any existing sync shares is visible at the top of the details pane. 若要建立新的同步共用,請從 [工作] 功能表選擇 [新增同步共用...]To create a new sync share, from the Tasks menu choose New Sync Share…. [新增同步共用精靈] 隨即顯示。The New Sync Share Wizard appears.

  4. [選取伺服器與路徑] 頁面上,指定存放同步共用的位置。On the Select the server and path page, specify where to store the sync share. 如果您已經為此使用者資料建立檔案共用,可以選擇該共用。If you already have a file share created for this user data, you can choose that share. 或者,也可以建立新的資料夾。Alternatively you can create a new folder.

    注意

    根據預設,無法透過檔案共用直接存取同步共用 (除非您挑選現有的檔案共用)By default, sync shares aren't directly accessible via a file share (unless you pick an existing file share). 如果您希望讓同步共用可以透過檔案共用存取,請使用伺服器管理員的 [共用] 磚或 New-SmbShare Cmdlet 來建立檔案共用,最好是啟用存取型列舉。If you want to make a sync share accessible via a file share, use the Shares tile of Server Manager or the New-SmbShare cmdlet to create a file share, preferably with access-based enumeration enabled.

  5. [指定使用者資料夾的結構] 頁面上,為同步共用內的使用者資料夾選擇命名慣例。On the Specify the structure for user folders page, choose a naming convention for user folders within the sync share. 其中提供兩個選項:There are two options available:

    • [使用者別名] 會建立不包含網域名稱的使用者資料夾。User alias creates user folders that don't include a domain name. 如果您是使用已經搭配使用資料夾重新導向或其他使用者資料解決方案的檔案共用,請選取此命名慣例。If you are using a file share that is already in use with Folder Redirection or another user data solution, select this naming convention. 您可以選擇性地選取 [只同步下列子資料夾] 核取方塊,僅對特定子資料夾 (例如 [文件] 資料夾) 同步處理。You can optionally select the Sync only the following subfolder checkbox to sync only a specific subfolder, such as the Documents folder.

    • [使用者 alias@domain\] 會建立包含網域名稱的使用者資料夾。User alias@domain creates user folders that include a domain name. 如果使用的不是已經用於資料夾重新導向或其他使用者資料解決方案的檔案共用,請選取此命名慣例,以避免在共用的多個使用者具有相同別名時產生資料夾命名衝突 (這可能會在使用者屬於不同網域的情況下發生)。If you aren't using a file share already in use with Folder Redirection or another user data solution, select this naming convention to eliminate folder naming conflicts when multiple users of the share have identical aliases (which can happen if the users belong to different domains).

  6. [輸入同步共用名稱] 頁面上,指定同步共用的名稱和描述。On the Enter the sync share name page, specify a name and a description for the sync share. 這不會在網路上通告,但是會顯示在伺服器管理員和 Windows Powershell 中,以協助辨別各個同步共用。This is not advertised on the network but is visible in Server Manager and Windows Powershell to help distinguish sync shares from each other.

  7. [將同步存取權授與群組] 頁面上,指定之前建立且列示允許使用此同步共用之使用者的群組。On the Grant sync access to groups page, specify the group that you created that lists the users allowed to use this sync share.

    重要

    若要提高效能和安全性,請將存取權授與群組而不是個別使用者,而且盡可能明確,避免使用通用群組 (如 Authenticated Users 和 Domain Users)。To improve performance and security, grant access to groups instead of individual users and be as specific as possible, avoiding generic groups such as Authenticated Users and Domain Users. 將存取權授與包含大量使用者的群組,會讓工作資料夾耗費很長時間來查詢 AD DS。Granting access to groups with large numbers of users increases the time it takes Work Folders to query AD DS. 如果您有大量使用者,請建立多個同步共用來協助分散負載。If you have a large number of users, create multiple sync shares to help disperse the load.

  8. [指定裝置原則] 頁面上,指定是否在用戶端電腦和裝置上要求任何安全性限制。On the Specify device policies page, specify whether to request any security restrictions on client PCs and devices. 有兩個個別的裝置原則可以選擇:There are two device policies that can be individually selected:

    • [加密工作資料夾] 要求加密用戶端電腦和裝置上的工作資料夾Encrypt Work Folders Requests that Work Folders be encrypted on client PCs and devices

    • [自動鎖定畫面,並要求輸入密碼] 要求用戶端電腦和裝置在 15 分鐘後自動鎖定螢幕,要求輸入六個字元或更多的密碼來解除鎖定螢幕,並在重試 10 次失敗之後啟動裝置鎖定模式Automatically lock screen, and require a password Requests that client PCs and devices automatically lock their screens after 15 minutes, require a six-character or longer password to unlock the screen, and activate a device lockout mode after 10 failed retries

      重要

      若要為 Windows 7 電腦與已加入網域之電腦的非系統管理員使用者強制套用密碼原則,請為電腦網域使用群組原則密碼原則,並將這些網域從「工作資料夾」密碼原則排除。To enforce password policies for Windows 7 PCs and for non-administrators on domain-joined PCs, use Group Policy password policies for the computer domains and exclude these domains from the Work Folders password policies. 排除網域的方法,是在建立同步共用之後使用 Set-Syncshare -PasswordAutoExcludeDomain Cmdlet。You can exclude domains by using the Set-Syncshare -PasswordAutoExcludeDomain cmdlet after creating the sync share. 如需設定群組原則密碼原則的相關資訊,請參閱密碼原則For information about setting Group Policy password policies, see Password Policy.

  9. 檢閱您的選項並完成精靈以建立同步共用。Review your selections and complete the wizard to create the sync share.

使用 Windows PowerShell 建立同步共用的方法是使用 New-SyncShare Cmdlet。You can create sync shares using Windows PowerShell by using the New-SyncShare cmdlet. 以下是這個方法的範例:Below is an example of this method:

New-SyncShare "HR Sync Share" K:\Share-1 –User "HR Sync Share Users"  

上面的範例會建立一個新的同步共用,名稱為 Share01,路徑為 K:\Share-1,並將存取權授與給名為 HR Sync Share Users 的群組。The example above creates a new sync share named Share01 with the path K:\Share-1, and access granted to the group named HR Sync Share Users

提示

建立同步共用之後,可以使用檔案伺服器資源管理員功能來管理共用中的資料。After you create sync shares you can use File Server Resource Manager functionality to manage the data in the shares. 例如,您可以使用伺服器管理員中 [工作資料夾] 頁面中的 [配額] 磚,設定使用者資料夾上的配額。For example, you can use the Quota tile inside the Work Folders page in Server Manager to set quotas on the user folders. 您也可以使用檔案檢測管理控制工作資料夾要同步的檔案類型,或是使用動態存取控制中所述的案例,以進行較為複雜的檔案分類工作。You can also use File Screening Management to control the types of files that Work Folders will sync, or you can use the scenarios described in Dynamic Access Control for more sophisticated file classification tasks.

步驟 8:選擇性指定技術支援電子郵件地址Step 8: Optionally specify a tech support email address

將工作資料夾安裝在檔案伺服器之後,您或許會想要指定伺服器的系統管理連絡人電子郵件地址。After installing Work Folders on a file server, you probably want to specify an administrative contact email address for the server. 若要新增電子郵件地址,請使用下列程序:To add an email address, use the following procedure:

指定系統管理連絡人電子郵件Specifying an administrative contact email

  1. 在 [伺服器管理員] 中,按一下 [檔案和存放服務],然後按一下 [伺服器]In Server Manager, click File and Storage Services, and then click Servers.

  2. 在同步伺服器上按滑鼠右鍵,再按一下 [工作資料夾設定]Right-click the sync server, and then click Work Folders Settings. [工作資料夾設定] 視窗隨即顯示。The Work Folders Settings window appears.

  3. 在瀏覽窗格中,按一下 [支援電子郵件],然後輸入電子郵件地址或是寄送工作資料夾方面的協助時使用者應該使用的電子郵件地址。In the navigation pane, click Support Email and then type the email address or addresses that users should use when emailing for help with Work Folders. 完成後,按一下 [確定]Click OK when you're finished.

    工作資料夾使用者可以按一下 [工作資料夾控制台] 項目中的連結,將包含用戶端電腦診斷資訊的電子郵件,傳送到您在這裡指定的地址。Work Folders users can click a link in the Work Folders Control Panel item that sends an email containing diagnostic information about the client PC to the address(es) you specify here.

步驟 9:選擇性設定伺服器自動探索Step 9: Optionally set up server automatic discovery

如果您的環境中裝載了多個同步伺服器,則應該在 AD DS 中使用者帳戶上填入 msDS-SyncServerURL 屬性來設定伺服器自動探索。If you are hosting multiple sync servers in your environment, you should configure server automatic discovery by populating the msDS-SyncServerURL property on user accounts in AD DS.

注意

要透過反向 Proxy 解決方案 (例如 Web 應用程式 Proxy 或 Azure AD 應用程式 Proxy) 存取工作資料夾的遠端使用者不可定義 Active Directory 中的 msDS-SyncServerURL 屬性。The msDS-SyncServerURL property in Active Directory should not be defined for remote users that are accessing Work Folders through a reverse proxy solution such as Web Application Proxy or Azure AD Application Proxy. 如果定義了 msDS-SyncServerURL 屬性,工作資料夾用戶端就會嘗試存取無法透過反向 Proxy 方案存取的內部 URL。If the msDS-SyncServerURL property is defined, the Work Folders client will try to access an internal URL that’s not accessible through the reverse proxy solution. 使用 Web 應用程式 Proxy 或 Azure AD 應用程式 Proxy 時,您必須為每一部工作資料夾伺服器建立唯一 Proxy 應用程式。When using Web Application Proxy or Azure AD Application Proxy, you need to create unique proxy applications for each Work Folders server. 如需詳細資訊,請參閱搭配 AD FS 與 Web 應用程式 Proxy 部署工作資料夾:概觀搭配 Azure AD 應用程式 Proxy 部署工作資料夾For more details, see Deploying Work Folders with AD FS and Web Application Proxy: Overview or Deploying Work Folders with Azure AD Application Proxy.

執行這個動作之前,您必須先安裝 Windows Server 2012 R2 網域控制站或使用 Adprep /forestprepAdprep /domainprep 命令更新樹系和網域結構描述。Before you can do so, you must install a Windows Server 2012 R2 domain controller or update the forest and domain schemas by using the Adprep /forestprep and Adprep /domainprep commands. 如需如何安全地執行這些命令的相關資訊,請參閱執行 AdprepFor information on how to safely run these commands, see Running Adprep.

您可能也要為檔案伺服器系統管理員建立安全性群組,並授與他們修改此特定使用者屬性的委派權限,如步驟 5 和步驟 6 中所述。You probably also want to create a security group for file server administrators and give them delegated permissions to modify this particular user attribute, as described in Step 5 and Step 6. 如果不執行這些步驟,您就必須讓 Domain Admins 或 Enterprise Admins 群組的成員為每個使用者設定自動探索。Without these steps you would need to get a member of the Domain Admins or Enterprise Admins group to configure automatic discovery for each user.

為使用者指定同步伺服器To specify the sync server for users

  1. 在已安裝 Active Directory 系統管理工具的電腦上開啟伺服器管理員。Open Server Manager on a computer with Active Directory Administration Tools installed.

  2. [工具] 功能表上,按一下 [Active Directory 系統管理中心]On the Tools menu, click Active Directory Administration Center. [Active Directory 系統管理中心] 隨即顯示。Active Directory Administration Center appears.

  3. 瀏覽到適當網域中的 [使用者] 容器,在想要指派給同步共用的使用者上按滑鼠右鍵,再按一下 [內容]Navigate to the Users container in the appropriate domain, right-click the user you want to assign to a sync share, and then click Properties.

  4. 在瀏覽窗格中,按一下 [延伸]In the Navigation pane, click Extensions.

  5. 按一下 [屬性編輯器] 索引標籤,選取 [msDS-SyncServerUrl],然後按一下 [編輯]Click the Attribute Editor tab, select msDS-SyncServerUrl and then click Edit. [多重字串值編輯器] 對話方塊隨即顯示。The Multi-valued String Editor dialog box appears.

  6. [要新增的值] 方塊中,輸入想要此使用者與其同步的同步伺服器 URL,依序按一下 [新增][確定],然後再按一下 [確定]In the Value to add box, type the URL of the sync server with which you want this user to sync, click Add, click OK, and then click OK again.

    注意

    同步伺服器 URL 只是 https://http:// (取決於是否想要求安全連線),後面是同步伺服器的完整網域名稱。The sync server URL is simply https:// or http:// (depending on whether you want to require a secure connection) followed by the fully qualified domain name of the sync server. 例如,https://sync1.contoso.comFor example, https://sync1.contoso.com.

若要填入多個使用者的屬性,請使用 Active Directory PowerShell。To populate the attribute for multiple users, use Active Directory PowerShell. 下面是為 HR Sync Share Users 群組的所有成員填入屬性的範例,在步驟 5 中已討論過。Below is an example that populates the attribute for all members of the HR Sync Share Users group, discussed in Step 5.

$SyncServerURL = "https://sync1.contoso.com"  
$GroupName = "HR Sync Share Users"  

Get-ADGroupMember -Identity $GroupName |  
Set-ADUser –Add @{"msDS-SyncServerURL"=$SyncServerURL}  

步驟 10:選擇性設定 Web 應用程式 Proxy、Azure AD 應用程式 Proxy 或其他反向 ProxyStep 10: Optionally configure Web Application Proxy, Azure AD Application Proxy, or another reverse proxy

若要允許遠端使用者存取其檔案,您必須透過反向 Proxy 發佈工作資料夾伺服器,讓工作資料夾可在網際網路上供外部存取。To enable remote users to access their files, you need to publish the Work Folders server through a reverse proxy, making Work Folders available externally on the Internet. 您可以使用 Web 應用程式 Proxy、Azure Active Directory 應用程式 Proxy 或其他反向 Proxy 解決方案。You can use Web Application Proxy, Azure Active Directory Application Proxy, or another reverse proxy solution.

如需使用 AD FS and Web 應用程式 Proxy 來設定工作資料夾存取,請參閱搭配 AD FS 與 Web 應用程式 Proxy (WAP) 部署工作資料夾To configure Work Folders access using AD FS and Web Application Proxy, see Deploying Work Folders with AD FS and Web Application Proxy (WAP). 如需 Web 應用程式 Proxy 的背景資訊,請參閱 Windows Server 2016 中的 Web 應用程式 ProxyFor background information about Web Application Proxy, see Web Application Proxy in Windows Server 2016. 如需有關使用「Web 應用程式 Proxy」在網際網路上發佈應用程式 (例如「工作資料夾」) 的詳細資訊,請參閱使用 AD FS 預先驗證發佈應用程式For details on publishing applications such as Work Folders on the Internet using Web Application Proxy, see Publishing Applications using AD FS Preauthentication.

如需使用 Azure Active Directory 應用程式 Proxy 來設定工作資料夾存取,請參閱使用 Azure Active Directory 應用程式 Proxy 啟用工作資料夾遠端存取To configure Work Folders access using Azure Active Directory Application Proxy, see Enable remote access to Work Folders using Azure Active Directory Application Proxy

步驟 11:選擇性使用群組原則設定加入網域的電腦Step 11: Optionally use Group Policy to configure domain-joined PCs

如果您有大量加入網域的電腦需要部署工作資料夾,可使用群組原則執行下列用戶端電腦設定工作:If you have a large number of domain-joined PCs to which you want to deploy Work Folders, you can use Group Policy to do the following client PC configuration tasks:

  • 指定要與其同步的同步伺服器使用者Specify which sync server users should sync with

  • 使用預設設定強制自動設定工作資料夾 (進行這個動作之前,請參閱設計工作資料夾實作中關於群組原則的討論)。Force Work Folders to be set up automatically, using default settings (review the Group Policy discussion in Designing a Work Folders Implementation before doing this)

    若要控制這些設定,請為工作資料夾建立新的群組原則物件 (GPO),然後適當地設定下列群組原則設定:To control these settings, create a new Group Policy object (GPO) for Work Folders and then configure the following Group Policy settings as appropriate:

  • 使用者設定\原則\系統管理範本\Windows 元件\WorkFolders 中的「指定 Work Folders 設定」原則設定"Specify Work Folders settings" policy setting in User Configuration\Policies\Administrative Templates\Windows Components\WorkFolders

  • 電腦設定\原則\系統管理範本\Windows 元件\WorkFolders 中的「強制為所有使用者自動設定」原則設定"Force automatic setup for all users" policy setting in Computer Configuration\Policies\Administrative Templates\Windows Components\WorkFolders

注意

只有從在 Windows 8.1、Windows Server 2012 R2 或更新版本上執行 [群組原則管理] 的電腦上編輯群組原則時,才能使用這些原則設定。These policy settings are available only when editing Group Policy from a computer running Group Policy Management on Windows 8.1, Windows Server 2012 R2 or later. 舊版作業系統的群組原則管理版本不提供此設定。Versions of Group Policy Management from earlier operating systems do not have this setting available. 這些原則設定適用於已安裝適用於 Windows 7 的工作資料夾應用程式的 Windows 7 電腦。These policy settings do apply to Windows 7 PCs on which the Work Folders for Windows 7 app has been installed.

請參閱 See also

如需其他相關資訊,請參閱下列資源。For additional related information, see the following resources.

內容類型Content type 參考References
了解Understanding - 工作資料夾- Work Folders
規劃Planning - 設計工作資料夾實作- Designing a Work Folders Implementation
部署Deployment - 搭配 AD FS 與 Web 應用程式 Proxy (WAP) 部署工作資料夾- Deploying Work Folders with AD FS and Web Application Proxy (WAP)
- 工作資料夾測試實驗室部署 (部落格文章)- Work Folders Test Lab Deployment (blog post)
- 工作資料夾伺服器 URL 的新使用者屬性 (部落格文章)- A new user attribute for Work Folders server Url (blog post)
技術參考資料Technical Reference - 互動式登入: 電腦帳戶鎖定閾值- Interactive logon: Machine account lockout threshold
- 同步共用 Cmdlet- Sync Share Cmdlets