I’ve been quite busy working lately and must apologize about not blogging much. However, I have been through a lot of learning curves recently and over the next couple of weeks I’d like to share a few of my lessons with you all. The major thing I ran into recently was that nemesis of mine, Windows Offline Files. Now I normally advocate using something like AppSense DataNow, Citrix ShareFile or even SkyDrive Pro to address the issues around synchronizing files from local storage to on-premise, but in this case the laptop deployment was already underway and Offline Files was earmarked as the technology to use in this particular environment. However, there are some contingencies about getting Environment Manager and Offline Files to work together that you may need to be aware of.
Let’s just be clear here though – this isn’t intended to be a definitive guide to getting AppSense Environment Manager delivering Offline Files, just a run-through of some of the issues I’ve had and discoveries I’ve made whilst struggling towards getting a working solution together 🙂
Why Offline Files?
Why indeed? I’ve already mentioned above that there are a number of (in my opinion) much more robust alternatives that can operate in a vastly more reliable way and provide fluid synchronization of follow-me data between on-premise storage and local caches. There are way too many to mention in this space, and comparing them is quite out of scope for the purpose of this article, but just off the top of my head there are the likes of DropBox, AppSense DataNow, Citrix ShareFile, Microsoft SkyDrivePro and many others. Some can also (like AppSense DataNow) aggregate files from multiple providers and present them to the user in a way that can provide separation of corporate and personal data, a very important requirement in a lot of regulatory legislation. If anyone has done a “smackdown” comparison of the various enterprise data-synchronization products out there, I’d be very interested in reading it and providing a link to it from this article. Aaron Parker provided a good article on using AppSense’s own product DataNow to address the follow-me data issue – http://stealthpuppy.com/replacing-redirected-folders-and-offline-files-with-appsense-datanow/
However – as you can imagine, most of these third-party solutions have a price tag attached that makes the AD-bundled Microsoft offering, Offline Files, much more palatable to a lot of companies out there. (Citrix customers with Enterprise or Platinum licensing can also take advantage of ShareFile at no extra cost, although I’m not clear on the storage model provided) This cost factor is a common element in many companies with Microsoft products and means that for most of us out there, we will encounter Offline Files being used on mobile computing devices sooner or later – if you haven’t already done so.
Offline Files and Folder Redirection
Offline Files is designed to work very closely with Microsoft’s own GPO implementation of Folder Redirection. When a folder is redirected through the Microsoft Group Policy engine in User Configuration | Policies | Windows Settings | Folder Redirection, the redirected folder is automatically made available offline, if Offline Files is enabled on the device. The folders will then sync in the background, or the synchronization can be triggered manually using the Sync Center area of Control Panel.
The main problem with Offline Files is that the way it works is poorly documented, and even when talking to Microsoft or ex-Microsoft staff, you will rarely encounter a consistent answer around the actual under-the-hood workings of Offline Files.
Rather than spend a lot of time discussing the ins and outs of Offline Files themselves, I will point you in the direction of a really good write-up done by Helge Klein on his blog at http://helgeklein.com/blog/2012/04/windows-7-offline-files-survival-guide/. One of the things in this excellent article I will draw your attention to, however, is that when configuring Offline Files GPOs, most of the Group Policy Objects apply to the older (XP/2003) versions of Offline Files rather than the Windows 7/2008 R2 versions. Of the total policy objects, only 10 of 28 Computer objects and 2 of 15 User objects are actually applicable to Windows 7 or Server 2008 R2.
Another point worth making is the difference between WinXP and Win7 when resetting the Offline Files database (and believe me, you will have to do this at some point). The Registry value to reset this in WinXP was
HKLM\Software\Microsoft\Windows\CurrentVersion\NetCache\FormatDatabase (DWORD 1)
but in Win7, you will need to use
HKLM\System\CurrentControlSet\Services\CSC\Parameters\FormatDatabase (DWORD 1)
An easy way to tell if the reset was successful is to see if this value still exists after a restart. If it doesn’t, the reset was successful.
Another thing maybe worth mentioning that isn’t covered in Helge’s article (at least I didn’t notice it, I apologize unreservedly if it is!) is the permissions required for Offline Files to work, which are detailed in this article.
Folder Redirection in AppSense Environment Manager and Offline Availability options
AppSense Environment Manager’s own Folder Redirection Actions are slightly more granular than the Group Policy Objects in that Redirected Folders are not automatically available offline. Environment Manager has a check box available in the Folder Redirection Action, allowing you to determine whether the folder should be marked as available offline or not.
 |
| AppSense EM Folder Redirection Action with the “offline” flag set |
Now if you add the “offline” check box after you have already configured and used the Folder Redirection Action, and you are using local or roaming profiles, you may run into a documented issue. Basically, if the redirected folder already exists in the Registry, even though the flag has been changed to mark it offline, EM will simply bypass the Action, resulting in no offline flag being set. You can identify this issue in an EMDebug log by looking for a line something like this
L3 T4520 3118381 [CEMFolderRedirectionAction::RedirectFolder] Current and new destinations are the same, nothing to do!!!
The simple way to work around this issue is to set a Registry Action to delete the Folder Redirection key from the Registry before you apply the Folder Redirection Action. For instance, if you encountered this problem with the redirection of Desktop, you’d use a pair of Actions like this
 |
| Nesting a Folder Redirection Action under a Registry Delete Action |
If the Folder Redirection is successful, and the offline flag is set correctly, you should see a line something like this in your EMDebug logs
Line 19878: L3 T5892 1070993 [CEMFolderRedirectionAction::Vista_RedirectKnownFolder] ENTER, strFolder=’F:\Desktop’, Flags=128
The Flags=128 entry indicates that the folder has been marked as available offline.
If you’re lucky, you may be able to get the Offline availability to work out of the box when done with Environment Manager Folder Redirection. However, in an environment where the base operating system and the Active Directory backbone isn’t particularly tidy, you may encounter some issues, and this is where it will start to get a bit more challenging.
Problems with application of Offline Files via Environment Manager
So unfortunately, as we just alluded to, you may well find that there are occasional issues that can pop up around the usage of Environment Manager to mark folders as available offline.
I find it is usually best to either use Group Policy to manage this in its entirety or leverage Environment Manager to do it – but if you start to combine the two, you may encounter even more inconsistencies and errors. The problem around this is Environment Manager can redirect a lot more folders than Group Policy can – think Cookies, Quick Launch, History, etc. – so those who have already used Group Policy may find that they wish to change to Environment Manager to achieve this. However, some Group Policy Objects have a tendency to “tattoo” themselves to the Registry, so if you are changing from using Group Policy to EM to set your offline folders, you may need to explicitly remove some of the GPO-based Offline Files settings before switching over. You can do this by either setting the GPOs to Disabled or by using Environment Manager to delete the actual Registry keys. This document provides a good reference on which GPO settings map to which Registry keys, should you need to do this.
Some of the configured GPOs that can possibly interfere with offline availability in EM are shown below (there may well be more, these are just the ones I discovered)
Computer Configuration | Administrative Templates | Network | Offline Files | Specify administratively assigned Offline Files
User Configuration | Administrative Templates | Network | Offline Files | Specify administratively assigned Offline Files
Computer Configuration | Administrative Templates | Network | Offline Files | Files not cached (I know this apparently applies to Windows XP/2003 only, but I have actually seen this setting, when configured erroneously, stop Offline Files from working on Windows 7, so it just goes to prove how poorly-documented the Offline Files topic really is)
Computer Configuration | Administrative Templates | Network | Offline Files | Turn on economical application of administratively assigned Offline Files
Computer Configuration | Administrative Templates | Network | Offline Files | At logoff, delete local copy of user’s offline files (again, allegedly Windows XP/2003 only, but the same applies)
If you’re intending to set the GPOs through Environment Manager to control Offline Files, you may want to think about this problem (that exists at time of writing) if you are thinking of using the “Administratively assigned offline files” setting in EM. If you configure this GPO in EM and set it to a network path (you’d be insane if you didn’t enter any data in it, to be fair), you will see this error appear…
…and the policy setting will not be saved.
This has been reported to AppSense and listed as a bug, but at current time of writing it is still an issue, so if you’re needing to set that particular GPO through EM, you may have to use a Registry Action to set the relevant keys and values instead, at least until it is fixed.
Excluding files from the cache in Windows 7/2008 R2
Another bridge that I had to cross to get Offline Files working correctly through Environment Manager was this one. Obviously you don’t want all file types to be cached – think database components and the like – but as seems to be par for the course in Offline Files, discovering what I needed to configure to make this work was much harder than it needed to be. This does start to become a bit of a recurring theme, sadly!
Now, on Windows 7/Server 2008 R2 there is a new Computer GPO that deals with offline file type exclusions, called Exclude Files From Being Cached (see this article for some details around this). In practice, this seems well and good. However, it now starts to get murky. Firstly, this setting doesn’t appear to be referenced in the MS Group Policy Settings document I linked to earlier. Also, according to the documentation for the previous setting used on earlier versions, if the policy is Disabled or Not Configured, the system then uses a default list of file extensions. This appears to be the cause of another issue I came across – when users were saving files to a redirected desktop, temporary files – such as those used by Word – appeared to be excluded from the offline cache, and users were receiving a “network or file permission error” when trying to save changes.
After some trial and error, I configured a Registry setting through EM to set the policy Registry values at HKLM\Software\Policies\Microsoft\Windows\NetCache and HKLM\Software\Wow6432Node\Policies\Microsoft\Windows\NetCache to overwrite this policy setting with a “fake” file extension, the intention being to override the defaults, in case they were still in use.
Synchronization
The next problem we hit was initial synchronization. Offline Files is supposed to synchronize when you first logon in the background at some unspecified point, if offline folders are available, but like everything else (this mantra is getting a little old now) finding out how it’s exactly supposed to work – and whether it does actually work – is a little difficult.
In the end, we got a bit tired of synchronization randomness and oddities and decided to see if there was a way we could trigger it ourselves. Obviously we only wanted it to run if the user was on a laptop endpoint and connected to the corporate network, so the first thing we configured were a couple of Conditions to check for this particular state of affairs – starting with a bit of PS in a Custom Condition to check for corporate LAN connectivity (obviously changing the domain as required)
$result
= $false;
# Use the NLA COM object to check if any of the connected networks are “domain.com”
[Activator]
::CreateInstance([Type]::GetTypeFromCLSID(‘DCB00C01-570F-4A9B-8D69-199FDBA5723B’)).GetNetworks(1) | %{ if($_.GetName() -eq “domain.com”) {$result = $true} };
if
($result)
{
exit 0
}
else
{
exit 1
}
And then a simple check for a laptop, which we have covered in previous posts, to be nested inside the LAN connectivity Condition, which leaves us with these two nested Conditions
Once these two Conditions are satisfied, what we need to do is find a way of triggering an automatic synchronization (we’re going to do this in the Logon trigger, but you can change that if required for your specific needs). Surely someone must have done this before?
Thankfully, the answer is yes – there’s a nice bit of VB available for download in this Technet article. It requires parameters to be passed to it – which is something you can’t do with a Custom Action in EM (feature request!) – so we will need to configure it as an Execute Action instead. I’ve saved the original script into my netlogon share, so obviously you will also need to store this somewhere you can easily call it from. As it’s only running when connected to the corporate network, the netlogon share is a fairly sensible place to call it from, ensuring that it can’t run accidentally when not online.
Another problem we encountered was the automatic resolution of synchronization conflicts. End-users don’t want to be bothered by technical conundrums like deciding which version to save – most of them would just rather it is done automatically. If you’re just synchronizing home drive data, then you can easily get around this using this article from Aaron Parker. If you’re synchronizing departmental drives, though, you might want to take a bit more care and thought over it.
We used an EM Computer Startup Action to set this – dependent on your architectural policy or preferences, you could set this in a number of ways. Obviously you will need to decide on the value you want to use for handling the conflicts!
Summary
If there’s any chance you can stretch to it, and your requirements allow it, I’d recommend using a third-party tool to do this rather than using Offline Files itself. This is totally based on my own difficult experiences, though, and I am more than willing to admit that most of the issues I’ve faced have been caused by the untidy infrastructure that I was trying to implement Offline Files into. However, I am willing to bet that a third-party tool would have installed without issue onto even badly-maintained infrastructure, so I am going to stand by my stance that I’d rather use another option than Offline Files, if I had one.
If you do have to use Offline Files – and I can say now that I know plenty of people who have no major issues with them, especially after the improvements in Windows 7/2008 R2 – then it pays to tidy up the underlying AD infrastructure first, ensuring that old GPOs are not only unlinked, but the settings are removed. Sadly in a lot of environments this isn’t an option however, especially where support teams are compartmentalized and change control is rigorous.
When choosing between the native GPO method and the AppSense EM method, ensure that you make a decision and stick to it. Mixing and matching will only cause more problems, especially with all the different features EM brings.
And finally – expect to have a lot of fun trying to find information about Offline Files and how it works. I wholeheartedly agree with Helge Klein’s comment on his article about Offline Files – that “from my experience there is nobody, even at Microsoft, who fully understands Offline Files“. I have to concede that it seems like this is absolutely true – and it doesn’t seem to have gotten any better in Windows 8/Server 2012.
Share
