Using Mandatory Profiles to Speed Up Logons for RDSH Servers
I was building a VDI solution for one of my customers that leveraged App Volumes to build RDSH servers, which in turn presented applications via Horizon (is it still fair to call it a VDI solution if there's no desktop OS involved?). We were managing the user experience persistence via User Environment Manager, so the RDSH servers were stateless and no unique data would ever live on any of them. It's a really cool solution, but we ran into that classic VDI issue: slow logons.
Fortunately, since that is such a classic issue, there's a huge list of things to do to alleviate it. In this case, since the user's profile lives independently of the server to which they've logged on, we have a really powerful tool available to us: the Mandatory Profile.
Windows does a lot of profile customization when a user logs in for the first time, which is great on a persistent desktop! In a nonpersistent environment (which, for all intents and purposes, any RDSH solution is, because the user could log onto any server in the pool), it's awful. Our servers were taking about 2 minutes to process a logon, which looks really bad when you're doing application presentation and it looks like it takes 2 minutes to launch notepad.
There's a lot of optimizations that need to happen, but the Mandatory Profile is a huge one. After we turned it on (before doing anything else), our logon time dropped to 30 seconds. This isn't particularly surprising, as we just cut out all of that "first time logon" processing that Windows does. So, how do you do it?
Well, that depends on what you need from your mandatory profile. In this situation, all of our user policy was coming from either Group Policy or User Environment Manager, so we just needed a perfectly clean profile from Windows to build upon.
If you look up how to build a Mandatory Profile, you'll probably be shocked. Back in my day, all we used to do was copy a local user's profile folder, rename the ntuser.dat file as a .man file, then go home and drink a beer! And we liked it! These days, creating a Mandatory Profile is not so easy. You start the same, by using a local account to customize things, but then you've got to start messing with sysprep and a specialized unattend.xml file. How do you generate that unattend.xml file? Well, you're gonna need the Windows System Image Manager. How do you get that? Well, it's a part of the Windows Advanced Deployment Kit. After you get it downloaded and installed (several gigs of download, by the way), you're gonna need a .WIM file for your chosen Operating System... and at that point, I started questioning my career choices.
Fortunately, all of that is only necessary if you need to customize your mandatory profile. If you want a clean profile, you can skip it! Since we're doing all of our user experience outside of the profile anyway, we're perfectly happy to use a clean profile, and that process is a lot easier: copy the "default" profile to a new location, rename the ntuser.dat file as a .man file, then... wait a minute, I've seen this before!
Ok, it basically is that simple. On the RDSH Server master image, go into Advanced System Settings, find the User Profiles section (on the Advanced tab, which is where you should be if you opened Advanced System Settings) and press the Settings button in there. Highlight the Default Profile, then press Copy To... and select a location. I chose C:\Profile. Under Permitted to use, ensure that an appropriate AD group is selected (I chose Authenticated Users, but your mileage may vary). If you've got the Mandatory profile checkbox, enable it... otherwise you can just rename the ntuser.dat file as per forever.
And that's it, you've configured a Mandatory Profile! Of course, no one is going to use it... but that's easy to fix. We simply created a GPO on the OU that contains our RDSH servers. We enabled the Set path for Remote Desktop Services Roaming User Profile setting under Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Hosts/Profiles and set it to use \\localhost\profile$ (which is a share that points at C:\Profile). Why did we specify it in such a circuitous manner? Well, that setting only works with UNC paths. It's a little funky, but it worked great for us and got everyone using a locally stored mandatory profile on our RDSH servers.
Fortunately, since that is such a classic issue, there's a huge list of things to do to alleviate it. In this case, since the user's profile lives independently of the server to which they've logged on, we have a really powerful tool available to us: the Mandatory Profile.
Windows does a lot of profile customization when a user logs in for the first time, which is great on a persistent desktop! In a nonpersistent environment (which, for all intents and purposes, any RDSH solution is, because the user could log onto any server in the pool), it's awful. Our servers were taking about 2 minutes to process a logon, which looks really bad when you're doing application presentation and it looks like it takes 2 minutes to launch notepad.
There's a lot of optimizations that need to happen, but the Mandatory Profile is a huge one. After we turned it on (before doing anything else), our logon time dropped to 30 seconds. This isn't particularly surprising, as we just cut out all of that "first time logon" processing that Windows does. So, how do you do it?
Well, that depends on what you need from your mandatory profile. In this situation, all of our user policy was coming from either Group Policy or User Environment Manager, so we just needed a perfectly clean profile from Windows to build upon.
If you look up how to build a Mandatory Profile, you'll probably be shocked. Back in my day, all we used to do was copy a local user's profile folder, rename the ntuser.dat file as a .man file, then go home and drink a beer! And we liked it! These days, creating a Mandatory Profile is not so easy. You start the same, by using a local account to customize things, but then you've got to start messing with sysprep and a specialized unattend.xml file. How do you generate that unattend.xml file? Well, you're gonna need the Windows System Image Manager. How do you get that? Well, it's a part of the Windows Advanced Deployment Kit. After you get it downloaded and installed (several gigs of download, by the way), you're gonna need a .WIM file for your chosen Operating System... and at that point, I started questioning my career choices.
Fortunately, all of that is only necessary if you need to customize your mandatory profile. If you want a clean profile, you can skip it! Since we're doing all of our user experience outside of the profile anyway, we're perfectly happy to use a clean profile, and that process is a lot easier: copy the "default" profile to a new location, rename the ntuser.dat file as a .man file, then... wait a minute, I've seen this before!
Ok, it basically is that simple. On the RDSH Server master image, go into Advanced System Settings, find the User Profiles section (on the Advanced tab, which is where you should be if you opened Advanced System Settings) and press the Settings button in there. Highlight the Default Profile, then press Copy To... and select a location. I chose C:\Profile. Under Permitted to use, ensure that an appropriate AD group is selected (I chose Authenticated Users, but your mileage may vary). If you've got the Mandatory profile checkbox, enable it... otherwise you can just rename the ntuser.dat file as per forever.
And that's it, you've configured a Mandatory Profile! Of course, no one is going to use it... but that's easy to fix. We simply created a GPO on the OU that contains our RDSH servers. We enabled the Set path for Remote Desktop Services Roaming User Profile setting under Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Hosts/Profiles and set it to use \\localhost\profile$ (which is a share that points at C:\Profile). Why did we specify it in such a circuitous manner? Well, that setting only works with UNC paths. It's a little funky, but it worked great for us and got everyone using a locally stored mandatory profile on our RDSH servers.
Comments
Post a Comment
Sorry guys, I've been getting a lot of spam recently, so I've had to turn on comment moderation. I'll do my best to moderate them swiftly after they're submitted,