New implementation of home and department shares; help me get it right the first time?

I've the rare opportunity to set up from scratch our first home and department share server in a mid sized company (about 250 people), and would like to make something that's reasonable.

We're going to go with a windows 2012 system (we have an existing datacetner license). We also have a good AD setup.

In my mind, it's a good idea to put different shares on different san LUNs and map them as datastores (and eventually host drives), with different workloads. I need to handle user home folders, a company-wide "temp" drive, a user-specific "pst export" drive, and some sort of inter-department shared storage. I am unsure if I should create multiple guests (such as FS1 for home shares, and FS2 for department ones).

It seems to me that I should build some sort of powershell script to create user folders and establish the ntfs permissions, then some group policy rules to actually map the drives.

Is this a reasonable approach, or should I consider something different?


Solution 1:

Using different LUNs for different shares really seems like overkill. I can definitely tell you that I've never seen that done. They're all going to have a random-access pattern, so the workloads are going to be very nearly the same. Putting them on separate LUNs may make reconfiguring the storage w/o taking downtime more difficult down the road. I don't think you're going to see any benefit by using distinct LUNs for these shares. (I definitely don't think you're going to see any benefit using separate OS instances / guests, either.)

re: the user folders

You should definitely read up on Folder Redirection as a way to get your users' content onto the server computers. It's based on Group Policy and very easy to manage and configure. The only negative, as I see it, is that users have to wait the first time they logon after the policy applies while all their content copies up to the server computer.

Different people have different opinions on permissions for Folder Redirection. Some people use the stock functionality in Windows that allows folders to be created automatically. I see this as a potential DoS attack and prefer to pre-create the folders with a provisioning script.

Lately I've been using a Folder Redirection folder structure that looks like:

  • \\SERVER\Users\<username>\AppData
  • \\SERVER\Users\<username>\Desktop
  • \\SERVER\Users\<username>\Documents

The user is granted permission to the "<username>" folder only. Figuring out a user's disk space utilization in this kind of scenario is pretty easy. (I also stash the user's Roaming User Profile in here in a "Profile" / "Profile.V2" folder.)

(Yes, yes-- I like AppData Folder Redirection. Some people disagree with that but I get good results from it and the benefits outweigh the "costs" to me.)

I pontificate about some more details in another Server Fault answer and yet another Server Fault answer. To save my breath I won't repeat all that here.

re: departmental folders

This is where I think you have the biggest chance to "get it right" or "get it wrong". Too often I've had to deal with a "public drive" in companies that has degenerated into what I call the "pile of files". It's a huge mess, often with patchy and poorly thought-out permissions, and is nearly impossible to get under control.

I'd spend time thinking about the best way to engineer permissions and folder structure to get this part right. I pontificated about this in another answer, so I won't rehash it here either.