Virtual Desktop Service

Redirecting Storage Platform to Azure Files

Contributors kris-gillette-netapp
PDFs

Overview

Virtual Desktop Service deployment technologies allow for a variety of storage options depending on the underlying infrastructure. This guide addresses how to make a change to using Azure Files post-deployment.

Pre-requisites

Create the new storage layer

  1. Log in to Azure with the global admin account

  2. Create a new Storage Account in the same location and resource group as the workspace

    Architectural.ChangeDataLayer.AzureFiles1

  3. Create the data, home, and pro file shares under the storage account

    Architectural.ChangeDataLayer.AzureFiles2

Set Up Active Directory

  1. Create a new Organization Unit named “Storage Account” under the Cloud Workspace > Cloud Worksapce Service Accounts OU

    Architectural.ChangeDataLayer.AzureFiles3

  2. Enable AD DS authentication (must be done using PowerShell) https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable

    1. DomainAccountType should be “ServiceLogonAccount

    2. OraganizationalUnitDistinguishedName is the distinguished name of the OU created in the previous step (ie “OU=Storage Account,OU=Cloud Workspace Service Accounts,OU=Cloud Workspace,DC=TrainingKrisG,DC=onmicrosoft,DC=com”)

Set the Roles for the Shares

  1. In the Azure portal, give "`Storage File Data SMB Share Elevated Contributor`” role to CloudWorkspaceSVC and Level3 Technicians

    Architectural.ChangeDataLayer.AzureFiles4

  2. Give "Storage File Data SMB Share Contributor" role to the “<company code>-all users” group

    Architectural.ChangeDataLayer.AzureFiles5

Create the directories

  1. Create a directory in each share (data, home, pro) using the company code as the name (In this example, the company code is “kift”)

    Architectural.ChangeDataLayer.AzureFiles6

  2. In the <company code> directory of the pro share, create a “ProfileContainers” directory

    Architectural.ChangeDataLayer.AzureFiles7

Set the NTFS Permissions

  1. Connect to the shares

    1. Navigate to the share under the storage account in the Azure portal, click the three dots, then click Connect

      Architectural.ChangeDataLayer.AzureFiles8

    2. Choose Active Directory for Authentication method and click the Copy to clipboard icon in the lower right corner of the code

      Architectural.ChangeDataLayer.AzureFiles9

    3. Log in to the CWMGR1 server with an account that is a member of the Level3 Technicians group

    4. Run the copied code in PowerShell to map the drive

    5. Do the same for each share while choosing a different drive letter for each

  2. Disable inheritance on the <company code> directories

  3. System and the AD Group ClientDHPAccess should have Full Control to the <company code> directories

  4. Domain Computers should have Full Control to the <company code> directory in the pro share as well as the ProfileContainers directory within

  5. The <company code>-all users AD group should have List folder/read data permissons to the <company code> directories in the home and pro shares

  6. The <company code>-all users AD group should have the below Special permissions for the directory in the data share

    Architectural.ChangeDataLayer.AzureFiles10

  7. The <company code>-all users AD group should have the Modify permission on the ProfileContainers directory

Update Group Policy Objects

  1. Update the GPO <company code> users located under Cloud Workspace > Cloud Workspace Companies > <company code> > <company code>-desktop users

    1. Change the Home drive mapping to point the new home share

      Architectural.ChangeDataLayer.AzureFiles11

    2. Change the Folder Redirection to point the home share for Desktop and Documents

      Architectural.ChangeDataLayer.AzureFiles12

      Architectural.ChangeDataLayer.AzureFiles13

Update the share in Active Directory Users and Computers

  1. With classic or hybrid AD, the share in the company code OU needs to be updated to the new location

    Architectural.ChangeDataLayer.AzureFiles14

Update Data/Home/Pro paths in VDS

  1. Log in to CWMGR1 with an account in the Level3 Technicians group and launch Command Center

  2. In the Command drop down, select Change Data/Home/Pro Folders

  3. Click the Load Data button, then be sure the proper company code is selected from the drop down

  4. Enter the new patsh for the data, home, and pro locations

  5. Uncheck the Is Windows Server box

  6. Click the Execute Command button

    Architectural.ChangeDataLayer.AzureFiles15

Update FSLogix profile paths

  1. Open registry editory on the session hosts

  2. Edit the VHDLoccations entry at HKLM\SOFTWARE\FSLogix\Profiles to be the UNC path to the new ProfileContainers directory

    Architectural.ChangeDataLayer.AzureFiles16

Configure Backups

  1. It is recommended to set up and configure a backup policy for the new shares

  2. Create a new Recovery Services Vault in the same resource group

  3. Navigate to the vault and select Backup under Getting Started

  4. Choose Azure for where the workload is running and Azure file share for what you want to back up then click Backukp

  5. Select the storage account used to create the shares

  6. Add the shares to back up

  7. Edit and Create a backup policy that fits your needs