May 13, 2018 - Sven Huisman
Using Nutanix AFS with VMware UEM
Nutanix Acropolis File Services (AFS), a web-scale native scale out file serving solution, is available for two years now. But since I’ve not had the opportunity to use AFS together with VMware User Environment Manager (UEM) yet, I thought I’d give it a go and while I’m at it, blog about how to set it up. If you don’t know about VMware User Environment Manager, watch the short video below.
In short, VMware UEM is used to manage the user’s Windows desktop and application settings (GPO-settings, drive-mappings, printer mappings, application shortcuts, etc) and is also a replacement for the Windows (roaming) profile. VMware UEM uses an agent installed on the Windows (virtual) desktop or RDSH-server and needs two file shares: one for the configuration and one for the user settings. There is no other infrastructure requirement, like a database.
In a “traditional” infrastructure I would need a NAS solution to host the file shares, or I would need to setup a Windows fileserver, maybe with DFS-replication or Windows Fileserver cluster and arrange for backup, depending on the requirements. And then there is scaling up or out and maintaining the Windows operating system, which doesn’t make a sysadmin’s life easier.
And here’s where Nutanix AFS comes in to play. AFS is very easy to install file services, easy to configure, easy to maintain, easy to scale-out (or up) and easy to backup and recover. (Did I already mention it was easy?) 🙂
Let’s take a look how easy it is to install and configure Nutanix AFS for VMware User Environment Manager (or for any comparable user environment management solution).
The architecture of Nutanix AFS contains of at least 3 file services VMs which communicates with the Nutanix CVMs:
Make sure to read the technical requirements for Nutanix AFS before installing.
Nutanix Acropolis Operating System is available in three versions:
AFS is included with Ultimate and can be licensed as standalone product (per node in the cluster) with the other two type of licenses.
Installing AFS is straight forward. From the PRISM management console, select the Home-button and then select “File Server”:
In the next screen, press the “+ File Server” button on the upper right corner:
The installation wizard starts with the pre-checks:
The File server virtual machines uses the Data services IP to communicate with the Nutanix CVMs. I did not have a Data Services IP configured yet, so after configuring the Data services IP, I ran the Pre-Check again:
The next step is to enter some basic information, like name, domain and file server storage size. You also configure the initial default File Server configuration here. The minimum is 3 file server VMs. This can be increased afterwards:
The file server VMs uses two networks: one for communication with the clients (as well as DNS and AD) and one for communicating with the CVMs, the Nutanix controller VMs which are responsible for providing storage. In this environment I use a flat network where clients and storage-network are on the same network. You can enter 3 separate IP addresses or a range of 3 addresses:
The storage network needs one ip-address extra, in my case 4:
The next step I need to select the protocols I want to use with this File services. I select the SMB protocol, which is used for Windows file shares. Enter a user name which is capable of joining the file server VMs to the domain. It’s best practice to use a service account for this:
The final step is the summary and then grab a coffee and watch the magic:
And after the deployment, you should see something like this:
Now I can create the file shares for the UEM configuration and the share to store the user settings. The UEM config share is a General Purpose Share:
The share to store the user-settings is comparable to a share for home directories or user profiles. Within this share each user will have their own directory to store files. This is one of the options, and an important use-case for Nutanix AFS, that you can select when creating the file share:
Providing the Max size for the share is optional:
In the next screen you are able to enable “Access Based Enumeration”. This means the user can only see the folders on which he has permissions:
After creating both shares, they are visible in the PRISM management console:
Now that both shares are created, the NTFS permissions needs to be adjusted to work with VMware UEM:
On the UEM-CONFIG share, the default NTFS permissions are “full control” for the administrator group and the Users group:
As we don’t want this “Users” group to be able to edit or remove files, this group is removed and replaced by the “Domain users” group with read permissions:
I’ve also added the domain group “UEM-Admins” with Full Control, so users of this group can change the UEM-configuration.
The NTFS-permissions for the “UEM-USERS” share also need to be changed because with the default permissions the folders for the users will not be created. From a Windows desktop, browse to the file-server. Right-click the UEM-USERS share and select “Security”. Then click “Advanced”:
I’ve added a domain group called “UEM-Helpdesk-users” with full control. This way it is now possible for the Helpdesk to help the user to fix user and application settings with the UEM Helpdesk tool. The account “CREATOR OWNER” should have “Full Control” on “Subfolders and files only”. I’ve also added the domain users group and gave special permissions “Create Folder/Append data” on “This folder only”.
Setup VMware UEM
To setup VMware UEM we need to install the Management Console. I used the following command line to install the management console:
After the installation, start the management console:
When starting the Management Console for the first time, you need to provide the location of the configuration share:
The next step is to personalize the Management console (which features are you going to use?):
Select the Office version you want to use:
The default configuration will now be created. After this step is completed, click OK:
You will see a default configuration which you can edit to your likes. The tab “Personalization” presents the application settings and Windows settings for the user, the tab “User Environment” represents the workspace for the user, like GPOs, drive mappings, printers, registry settings, etc:
In the share “UEM-CONFIG” you will see this configuration represented in XML-files:
Setup VMware UEM for the user
To setup VMware UEM for the user you will need two things:
- The VMware UEM agent installed on the user’s desktop
- A GPO setting to enable VMware UEM and to set the path to the configuration and the User settings
I installed the VMware UEM agent in a master image for a VDI-pool using a command line:
The configuration of the group policy is well documented. The most important settings are the location of the Config share and the Profile archives share. The config share in my case: “\\CONTAFS.contoso.local\UEM-CONFIG\General”:
The location of the Profile Archives is in my case: “\\CONTAFS.contoso.local\UEM-USERS\%username%\Archives”:
Don’t forget to create a logoff script, otherwise the user’s settings will not be saved at logoff:
Now that I’ve setup Nutanix AFS and VMware UEM, I can login to the desktop. After logging in, I can see that a new folder is created for my user account:
As you can see, Nutanix AFS is very easy to install and configure. And it’s not only easy to setup, making changes to AFS (like scaling up or down) is just as easy. Just select the File server, select “Update” and the next screen will be presented:
In conclusion, I’m very impressed how easy it is to setup Nutanix AFS. This is a very valuable add-on for especially VDI and RDSH environments, where file shares are required to store user (profile) settings.