Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 

Terminal Server and the profile challenge

Profile problems??

Profile problems?? No, we never have problems with our profiles. This is almost the standard answer I got when asking “Do you problems with your profiles?” to customers or some system administrator at an event, when they are telling me about some strange problems.
So why writing an article about profile challenges if there are no profile problems?

Because when discussing on and asking more questions….the answers are coming:
Sometime users get an error when launching Outlook,
Some users can not start application X anymore,
User Y can not print from one Printer since a week
When user X logs in it takes almost two minute….. and those problems are not solved easy!

Sounds familiar? How do you solve this kind of problems?
Probably at last you delete the users profile and every runs fine again.

The same question again: Are there some profile problems?
Yes, it is clear there are absolutely some profile challenges.

What is a profile actually?

 

To solve challenges first you need to know what a profile exactly is. Shortly a Windows user profile makes it possible to the user to have a personalized environment. The personalized environment exists of  the content and arrangement of Start Menu groups, screen colours, desktop shortcuts, network and printer connections, internet favourites, personal application settings, temporary internet files, cookies, stencils, mouse / keyboard settings, certificates and much more.

The profile normally is created or when the user logs on the first time. Within the %systemroot%\Document and Settings folder a new folder is created with the username of the user. This folder is the first part of the profile. The second part is stores in the registry in the hive [HKEY_CURRENT_USER]. When the user logs off the hive is stored in a file called ntuser.dat, which is save in the above mentioned folder.

Image Image




Local profile

As you see all settings are stored on locally on the machine the user logged on. This kind of profile is called a local profile. But in a company users can or may log on to several workstations.  Of course your user wants the desktop environment be the same on every machine,  but the profiles are stored local so this is not possible. Also if the workstation fails the user is losing all his settings. Also local profiles can not be (fully) managed by the IT department.

Roaming profile

To gain the goal to give the user on every workstation the same desktop environment roaming profiles are set up. When using roaming profiles the user profile is loaded from a server in the infrastructure to the workstation when the user logs on and stored back on the server when the user logs off again. Roaming profiles consumes lots of resources, which results in synchronization problems when loading and storing the profile. In practise roaming profiles are fragile components, which are difficult to administer and manage.

Mandatory profile

Within the Windows environment there is another profile type. Within this profile changes to the desktop environment are not saved when the user logs off the system. Mandatory profiles are easy to manage, fast and because nothing is saved to the profile, the profile can not get corrupted.

In current environment it is almost impossible to use mandatory profiles, because in most user settings must be retained. In most cases roaming profiles are used, with al belonging problems as mentioned above. Retaining user setting is more important target then the challenges roaming profiles brings to the IT department.

Terminal Server and Profiles

Are challenges concerning profiles the same in Terminal Servers comparing standard workstation environments or even more complicated?

In some way it getting more complicated when Terminal Server are part of the infrastructure:

  • If your users are using both applications on their workstation and the Terminal Servers on both systems the user settings need to be retained. Within Active Directory Service (ADS) you can specify a standard profile and a special profile for Terminal Servers. If you do not specify a Terminal Server profile, the standard profile will be used. You can imagine what results that can have if a workstation profiles is loaded on a Terminal Server (with a different Operating System). Always specify a Terminal Server profile when using roaming profiles with Terminal Server in the infrastructure.
  • Users are logging on different servers when using Terminal Servers on a regularly basis because of load balancing. Although the same situation is also possible with normal workstation (when using flexible workspaces), practices learn that end-users normally use the same workstation as much as possible.
  • Users are logged on more servers at the same time. When using Terminal Servers it most likely users are logged in to more terminal server at the same. This is especially applicable when the Silo or Load Managed Groups concept is used. This means that for several applications special Terminal Servers are not used (in other word not all applications are installed on all Terminal Servers).
  • When using Published Applications (with third party products like Citrix, Provision, GoGlobal and the others) there is big change that there are more logon an logoff processes than on normal workstations.
  • On Terminals Servers often time limits are specified for inactive and disconnect sessions, which causes more logon and logoff processes.

Above mentioned reasons causes more challenges management the profile environment. Most likely in Terminal Server more corruption, lost user settings, application errors are occurring when using roaming profiles.

Looking serious at these challenges you would like to have the mandatory profile attributes like no corruption, fast load times and easy management, but with the option to save the needed user settings. Fortunately nowadays this scenario is possible with so called Hybrid or Flexible Profiles.

These profiles are using a mandatory profile which is configured and loaded in the same way as a mandatory profile is done in a 100% mandatory profile environment. Take a look at the Microsoft Knowledge base article 323368  for creating a mandatory profile. (Tip: place the mandatory profile local on the server, which speeds the loading of the profile). The (specified) end-user settings are stored by logon en saved by logoff by a third party tool, which accomplish the flex or hybrid profiles. The enormous grow of products in this market shows the necessity of this kind of profiles.

One of pioneers is the Flex Profile Kit by Jeroen van de Kamp. The Flex Profile Kit (FPK) uses a modified version of the Office Profile wizard (proflwiz.exe) to store and save the user (registry) settings. With the FPK you need to specify using ini-file which registry keys need to be saved when the user logoffs. In version 4 of the FPK it is possible to specify folders (think of favorites) and more superior options like saving and restoring certificates, Windows appearance settings, mouse settings, passwords and support for the Silo or Load Managed Groups. All settings are saved on a file share, so no additional software is needed. The FPK is still a freeware product.

Citrix itself also realised the necessity and developed their Hybrid Profile. Citrix Consultancy Services implements this product in your environment only. Therefore no much information is available of this product. The configuration and the settings are placed in a SQL database.

After the FPK and the Citrix Hybrid profiles more (commercial products) were developed. Tricerat Simplify Profiles, Mancorp Managed Profiles, Terminal-services.net, WTS Profiles, Provision Metaprofiles-IT and Jumping Profiles are the most known products.

Most of these products offer the possibility to save and store user specific registry keys. Tricerat, Mancorp and Terminal-services.net are using a (SQL) database for configuration and storing the user settings. Configuration and managing these products is done via GUI. Every product offers some additional functionality. With WTSProfile you can also lockdown the start menu and desktop appearance bases on several filters, within Managed Profiles an additional Printer Management module is available and folder savings and Simplify Profile offers also a GPO comparable lockdown of the user environment.

Jumping Profiles is the commercial product with the most options. It was the firs product with features like saving Windows appearance, certificates (even root certificates), mouse/keyboard settings and passwords. Jumping Profiles is using a simple file share for storing all the settings. Jumping Profiles uses the same way of thinking about a solution for profiles as the FPK, although the method of the products is exactly the other way around. Jumping Profiles saves all settings in the user profile except those are specified in a blacklist. Jumping Profiles also supplies extra tools to make migrating, configuration and troubleshooting much easier. Jumping Profiles and the Flex Profile Kit are offering the most robust, most featured profile solutions at the moment.

Summary

Summarizing lots of IT departments have challenges with managing their roaming profiles environment. It takes some time to recognize these challenges, but the solution is their by using the flex/hybrid profile solutions. All those products are developed with a Terminal Server infrastructure in mind, but they are also very useable in a traditional workstation infrastructure. If you are struggling with profile challenges, you should definitely consider using a flex/hybrid profile solution. On my own website VanBragt.Net Virtualization all products are reviewed, so that is good way to start investigating the flex/hybrid profile solution.

Article previous published at MSTerminalServices.org.