FSLogix profile container using Azure Files and domain controller step by step

Microsoft

This guide walks an IT administrator through the steps needed to configure an existing Windows Virtual Desktop (WVD) hostpool with profiles stored on an Azure Files storage account. Authentication will be via a domain controller (aka native AD).

 

The diagram below represents the environment we are starting with:

  • Azure subscription tied to Azure AD
  • Virtual machine acting as active directory with Azure AD connector synching to Azure AD
  • WVD hostpool
  • Storage Account (this guide starts with setting up this storage account (SA))
 

1.png

The full guide for setting up Active Directory (AD) authentication over SMB for Azure file shares (AFS) is available here.

 

Prerequisites

Global administrator on Azure AD is required to be able to assign RBAC permission. Contributors cannot assign permission to other users, as outline here.

Account with Owner permissions on the Azure subscription.

Account that is part of Active Directory (AD). This account needs to be able to sing into VM that is joined to the domain and have permission to create new accounts.

 

Note: Please note all prerequisites must be met.

 

There are certain policies that may block creating and using the account that represents the storage account (for example, if maximum password length is set to less than 80 characters the AD will not accept the new account). Such policies need to be disabled for the OU where the AD account representing the storage account is to be created.

 

Selecting Azure Files tier

Prior to creating a storage account Azure Files tier must be selected. Azure Files offers two different tiers of storage, premium and standard, to allow you to tailor your shares to the performance and price requirements of your scenario:

  • Premium file shares: Premium file shares are backed by solid-state drives (SSDs) and are deployed in the FileStorage storage account type. Premium file shares provide consistent high performance and low latency, within single-digit milliseconds for most IO operations, for IO-intensive workloads.
  • Standard file shares: Standard file shares are backed by hard disk drives (HDDs) and are deployed in the general-purpose version 2 (GPv2) storage account type. Standard file shares provide reliable performance for IO workloads that are less sensitive to performance variability such as general-purpose file shares and dev/test environments. Standard file shares are only available in a pay-as-you-go billing model.

 

Depends on the target performance, cost, and regional considerations, you can select the most appropriate performance tier for storing the user profile data. We have included our recommendation based on the performance of the typical remote desktop workloads types.

 

Workload type

File Tiers

Light

Less than 200 concurrent active users: Standard file shares

More than 200 concurrent active users: Premium file shares. You may also consider using Standard file shares with multiple shares if you are scaling up from existing Standard file shares or plan to manage scale out for cost efficiency. 

Medium

Premium file shares

Heavy

Premium file shares

Power

Premium file shares

 

You can leverage the guidance above and further optimize for your WVD scenario. Detailed information of Azure Files on performance targets (Standard, Premium) and pricing is available to help you further fine tune the file share solution.

 

Setup storage account

  1. Sign into Azure portal
  2. In the search box enter Storage account
  3. Click +Add and in the Create storage account enter
    1. Create a new resource group
    2. Enter unique storage account name
    3. Location, must be the same location as the WVD Hostpool
    4. Performance standard (as this is a test deployment with less than 200 users)
    5. Account kind – StorageV2
    6. Replication – Read-access geo-redundant (RA-GRS)
  4. Click Review + create and the Create once validation has passed

     

Create an Azure file share

  1. Once the storage account is deployed, click Go to resource
  2. On the Overview screen click File shares
  3. Click +File shares and create a new named profile
  4. Enter Quota of 30 GB
  5. Click Create

 

Enable AD authentication for your SA

These steps need to be ran from a machine that is already domain joined. In our environment this will be done from the VM running the domain controller.

  1. RDP into the domain controller VM
  2. Download the AzFilesHybrid module from here
  3. Unzip to a local folder
  4. Open PowerShell and navigate to the folder from step #3
  5. (optional) Set execution policy to Unrestricted via
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
  1. Install NuGet via
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
  1. Import the downloaded PS module AzFilesHybrid
Import-Module -Name .\AzFilesHybrid.psd1
  1. Connect to our Azure via PowerShell
Connect-AzAccount
  1. Sign in when prompted
  2. (optional) If there are multiple Azure subscription select the correct one via
Select-AzSubscription -SubscriptionId <subscription name>
  1. Connect the SA with active directory via command below. Replace <rg-name> and <sa-name> with values from section Setup storage account.

Important: the below command supports capability for adding new account to an organization unit via the switches -OrganizationalUnitName and -OrganizationalUnitDistinguishedName. For more details, please visit.

 

Join-AzStorageAccountForAuth -ResourceGroupName "<rg-name>" `
     -Name "<sa-name>" `
     -DomainAccountType "ComputerAccount" `
     -OrganizationalUnitDistinguishedName "<ou-distinguishedname-here>"
  1. Verify the setup is correct
# Grab the storage account info (creates an array)
# $storageaccount = Get-AzStorageAccount `
#    -ResourceGroupName "<resource-group-name>" `
#    -Name "<storage-account-name>"
$storageaccount = Get-AzStorageAccount -ResourceGroupName <RG> -Name <storageacct>

# Verify - List the directory service of the selected service account
$storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions

# Verify - List the directory domain information if the storage account has enabled AD authentication for file shares
$storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties
  1. Navigate to the Azure portal open the storage account that was created, click on Configuration and confirm Azure Directory (AD) is enabled

 

2.png

 

Assign Azure RBAC permission to storage account

At least one user, likely and administrator will need to be assigned Storage File Data SMB Elevated Contributor. The administrator will be used to assign NTFS permissions on the files share.

For all users that need to have FSLogix profiles stored on the SA assign Storage File Data SMB Share Contributor. It is a best practice to create an AD group for all users that need to have FSLogix profiles.

To assign RBAC permissions:

  1. Navigate to the Azure portal
  2. Open the storage account created in the Setup storage account section
  3. Click Access Control (IAM)
  4. Click Add a role assignment
  5. In the Add role assignment blade, select Storage File Data SMB Share Elevated Contributor for the administrator account.
  6. Click Save

Repeat the above steps for all users that need to have FSLogix profiles but change the role to Storage File Data SMB Share Contributor.

Note: the accounts being used here must be create in the domain controller and synched to Azure AD. Accounts sourced from Azure AD are not appropriate.

 

Configure NTFS permissions over SMB

Once RBAC permission have been assigned the next step is to configure the NTFS permission. There are two pieces of information we need from Azure portal to complete the NTFS permission:

  • UNC path
  • SA key

     

Obtaining the UNC path

  1. Navigate to the Azure portal
  2. Open the storage account created in the Setup storage account section
  3. From under Settings select Properties
  4. In the following screen locate the Primary File Service Endpoint and copy it to a text editor
  5. Modify the URI to become UNC by:
    1. Remove https://
    2. Replace forward slash / with a back slash \
    3. Append name of the file share created in the Create an Azure file share section

 

For example: \\customdomain.file.core.windows.net\<fileshare-name>

 

Obtaining SA key

  1. Navigate to the Azure portal
  2. Open the storage account created in the Setup storage account section
  3. From the storage account blade select Access keys
  4. Copy key1 or key2 to a local file

     

Configure NTFS permissions

From the VM running the domain controller open the command prompt.

Run command below to mount the Azure files share and assign it a drive letter

net use <desired-drive-letter>: <UNC-pat> <SA-key> /user:Azure\<SA-name>

Use Windows File Explorer to grant full permission to all directories and files under the file share, including the root directory.

  1. Open Windows File Explorer and right click on the file/directory and select Properties
  2. Click on the Security tab
  3. Click on Edit... button to change permissions
  4. You can change the permission of existing users, or click on Add... to grant permissions to new users
  5. In the prompt window for adding new users, enter the target user name you want to grant permission to in the Enter the object names to select box, and click on Check Names to find the full UPN name of the target user.
  6. Click on OK
  7. In the Security tab, select all permissions you want to grant to the newly add user. Details on what permissions are optimal for FSLogix is available here.
  8. Click on Apply

     

Configure FSLogix on session host VMs

In this section we cover the steps needed to configure a VM with FSLogix. These steps need to be completed on all VMs. There are multiple ways to deploy in bulk and configure FSLogix that do not require work on each individual VM. More information on those available

  1. RDP to the session host VM part of the WVD Hostpool
  2. Download FSLogix agent from
  3. Unzip and execute and run FSlogixAppsSetup.exe
  4. Agree with the conditions and click Install
  5. Configure profile container registry settings, more details here:
    1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\FSLogix
    2. Create key Profiles
    3. Create Enabled, DWORD with value of 1
    4. Create VHDLocations, MULTI_SZ
    5. Set the value of VHDLocations to the UNC path generated in the section Obtaining the UNC path
  6. Restart the VM

     

Testing

Once the VM has been restarted sign in with a user that has permission on the session host and on the file share.

When the session has been established and start menu is visible:

  1. Navigate to the Azure portal
  2. Open the storage account created in the Setup storage account section
  3. Click on the share create in the Create an Azure file share

Note: For troubleshooting FSLogix please follow the guide here.

 

6.png

31 Replies
We enabled this on the premium tier in one of our environments over the weekend around 100 active users. After what looked like I/O performance issues with a B-Series File server.

So far so good. It was also an opportunity to test out Azure File Sync to migrate from the FS to the AZ File Share itself.

We're using this in our production environment using standard tier storage. 

We're happy with the performance so far.  The Standard tier seemed to be adequate for our needs based on this (https://docs.microsoft.com/en-us/azure/storage/files/storage-files-scale-targets) KB.

 

There are some slight hiccups with configuring NTFS permissions or viewing the files within the Azure Blade (assuming there's some replication time).  Other than that, it's been working very well for us.

@Stefan Georgiev 

 

Please consider changing / noting that its NOT recommended to add all users full control on the share - its really NOT best practice at all - and a huge security issue if people can map each others VHD.. 

I wanted to go from Standard to Premium - but migrating NTFS permissions is a no'go! :(

@Christian_Pedersen there is an article we are working for FSlogix permissions on the share and folders under its

 

User Account

Access

Applies to

System

Full control

This folder, subfolders and files

Administrators

Full Control

This folder only

Creator/Owner

Full Control

Subfolders and files only

Security group of users needing to put data on share (Roaming User Profiles Users and Computers)

List folder / read data (Advanced permissions)

Create folders / append data (Advanced permissions)

This folder only

Other groups and accounts

None (remove)

 

@Christian_Pedersen can you please elaborate? When you say migration are just changing the tier or you are moving the storage account?

@Stefan Georgiev Thats perfect - the right way of doing it.. :)

 

The other could lead into problems!

@Stefan Georgiev the goal is to move from standard to premium storage account.

 

The path is the issue - i'm trying to make a new storage account and move all the content over but NTFS permissions is not working so the folders / files have the wrong owner - i cant change it post because it seems like you cant modify Ownership on files on a storage account - tried with ICACLS and Explorer.. :(

@Christian_Pedersen
Just reading this quickly on my way out but when I migrated I used copy to preserve ownership when moving to another vhd the azure file sync to upload into azure files.

@R_Akers 

True - that could be it - that i need to use Azure File Sync - instead - probably that can preserve permissions - but is't like - well very aparant that the implementation is kind of not complete - that you need other tools to perform that.

 

Im not sure if Azure File Sync can sync from a UNC then i can just map the 2 file shares up on a VM and migrate directly - the easiest part would be to use robocopy <src> <dst> /sec /mir and then it would copy all the content..

@Stefan Georgiev ...  Very much interested in this but waiting for native AD support to get out of Preview.  Any idea when that might be coming?

@Nagorg-Terralogic I do not have an official date. That will come from the Azure Files team.

@Nagorg-Terralogic I am not directly owning Azure Files hence will let that team announce any changes in the status of that product.

@Nagorg-Terralogic i have tested the Azure Files as backend for FS Logix for days now - and its pretty well varying in performance - i get some really weird lockups from time to time where the VM is freezing a bit..

 

Using azure files premium, premium ssd and E8s 8 Cores 64 gig memory..

 

It works - but there are some really strange "pauses" :( 

@Stefan Georgiev well call it "freezes" (5-10-15 seconds) - its kind of difficult to be 100% accurate if its the storage system or the issue with Office and Modern Authentication that im also struggeling - because it seems that if Office have ADAL disabled it can also cause freezes in the users profile on Open/Close actions

This is a concern of mine. Not sure how practical it is to use a PaaS storage backend for FSLogix profile containers. But I do like the concept..

@Stefan Georgiev Please explain where Global Administrator on the Azure tenant is required to set this up? To delegate the SMB RBAC rights it's certainly  enough to be an owner of the storage account.

@Nagorg-Terralogic Why would having to maintain two file servers (HA) be more practical?