Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2

September 2010

To help ensure that the Microsoft IntelliMirror service continues to offer a security-enhanced enduser data backup solution that meets changing business needs, Microsoft Information Technology (MSIT) has implemented key technology changes in the Windows 7 and Windows Server 2008 R2 operating systems. This approach has enabled MSIT to add functionality to the IntelliMirror service while still operating on a limited budget.

Introduction
Intended Audience IT managers Business decision makers Technical decision makers Products & Technologies
Windows Server 2008 R2 Windows 7 Windows Vista SP1 Server Message Block Folder Redirection Offline Files File Server Resource Manager BitLocker Drive Encryption Failover clusters Volume Shadow Copy Service Microsoft System Center Data Protection Manager 2007 SP1 File Server Capacity Tool

MSIT supplies services to more than 170,000 users located in more than 600 buildings worldwide. IntelliMirror, like all MSIT-supplied services, has a strong and measurable service level agreement (SLA) in place to help safeguard its users. A key deliverable for this service is for users to have access to their data 99.99 percent of the time from any client computer on the Microsoft corporate network. The IntelliMirror management technologies are a set of features that are built into Windows Server and form the basis of MSITs backup and centralization solution for its mobile workforce. First introduced in Microsoft Windows 2000 Server, IntelliMirror enables users to redirect specific folders to centrally managed network servers for data security and recovery. At Microsoft, IntelliMirror offers a fast, cost-effective data security solution. The service enables users to have full access to a copy of their files when they are disconnected from the network, even though these files are centrally managed on a network server. The data is then synchronised as a background task when network connectivity is restored. This highly automated system was simple for MSIT to deploy and has low administration costs.

Business Requirements
When IntelliMirror was initially deployed at Microsoft, the IntelliMirror service management team wanted the service to fulfill four business requirements: Data centralization and management: Data stored on client computers needed to be centralized for IT administrators to monitor and manage it. Users also needed to have access to their data from any corporate domainjoined computer at all times. Data mobility and availability: User data needed to be mobile, without any additional IT administration or end-user requirements. The service had to give users fast access to their data, independent of their network connectivity or the quality of the connection to the centralized storage location. Data protection and portability: Protecting the integrity of the data is another core requirement of the service. MSIT needed to help ensure that users data was secure and

could be recovered in case of accidental file changes, file deletion, laptop loss, or hardware failure. Total cost of ownership (TCO): IntelliMirror had to add value for end users without increasing the TCO.

Any subsequent technologies that become available are benchmarked against these requirements to determine whether they can support and improve service delivery while maintaining the same underlying principles. The IntelliMirror service management team felt that the release of Windows Server 2008 R2 and Windows 7, plus the rollout of Hyper-V in branch offices, offered sufficient additional functionality to justify a major service improvement plan for the IntelliMirror service.

Key Technology Opportunities

The Microsoft internal IntelliMirror solution has benefitted greatly from taking advantage of new technology features in Windows from Windows Server 2008 onward. These changes, aligned with an extensive communications plan promoting the new recovery and security benefits, have seen a significant and continued increase in users signing up for the IntelliMirror service. Generating this increased use of IntelliMirror required a wide variety of technologies. Many of these technologies have been available in Windows server and client operating systems for some time. However, some of the technologies that the IntelliMirror service uses have been greatly enhanced or are new features in Windows Server 2008 R2 and Windows 7. These changes included significant improvements to Offline Files, the Server Message Block (SMB) protocol with the introduction SMB 2.0 and SMB 2.1, File Server Resource Manager, and clustering technologies, to name a few. Virtualization in the branch office with the HyperV rollout was also an important step forward for the IntelliMirror service management team.

MSIT IntelliMirror Service

Before looking at the technology changes that Windows Server 2008 R2 and Windows 7 introduced, it is important to understand how IntelliMirror is promoted within Microsoft. Unlike many other services, IntelliMirror is optional. Some users may choose not to enroll for the service because of their particular job role, because of the version of Windows that they need to use, or simply because their work location is not suitable. However, users are encouraged to sign up for the service based on its data mobility and recoverability benefits, which the IntelliMirror service management team believes are compelling enough for most users to adopt IntelliMirror. This strategy has proved successful, and the enhancements to the service brought about by the introduction of new technologies since the Windows Server 2008 R2 release , has increased its enrolled user base to more than 18,000 (and growing). Users enroll for the service via a Web-based signup tool on the IntelliMirror portal. Here, the user simply selects the nearest Personal Network Folder server (Virtual Branch Office Server), to his or her location and then clicks the Sign Up button. IntelliMirror becomes active within 24 hours with no additional end-user requirements. The signup process uses the File Server Resource Manager feature in Windows Server 2008 R2 to update Active Directory Domain Services (AD DS) and the user account. A Group

Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 2

Policy setting is then applied to the users computer and sets the IntelliMirror path information.

Windows Server 2008 R2 with Hyper-V

Until the introduction of Windows Server 2008 Hyper-V virtualization technologies, IntelliMirror was one of six core services that coexisted on a local branch-office network server. These were known as User Services Platform (USP) servers. A standard configuration was a single physical server running Windows Server 2003 Service Pack (SP) 2, with the following services: File (shares) Print Data Distribution Services Windows Deployment Services Microsoft Systems Management Server 2003 IntelliMirror management technologies

This single multipurpose branch-office server model originated from an earlier project called the Model Enterprise Initiative (MEI). The aim of this project was to reduce server sprawl, to simplify the infrastructure at Microsoft, and to reduce the TCO. Although MEI was a great success, the single branch-office server model that it produced affected the IntelliMirror teams ability to adapt the service to meet changing business needs, along with the teams ability to adopt new technologies. With multiple services sharing the same operating system, the chance always existed that problems could occur in areas such as: Service overlap: Having multiple services installed on one operating system created additional workload and complexity for service managers and regional IT staff. Any changes to one service had to be coordinated with all service managers who shared the same platform. Planning large changes, such as operating system upgrades, was a major undertaking because of the number of teams that had to be coordinated. Security: Sharing a single operating system also had security implications. For example, the local resources that handled file share issues were directly logging on to a server that was delivering IntelliMirror Folder Redirection. Although rights are managed based on job roles, the potential to affect overall server performance or compromise confidential data was a possibility without true service segregation. SLA and flexibility: The standard 99.99 percent service availability was hard to maintain and control in a scenario where other services could affect the availability of IntelliMirror. The only way around this was true segregation of services onto separate servers, which was not a viable or cost-effective option before Hyper-V. Early adoption of technology: One of MSITs core roles is to be the first and best customer of Microsoft, adopting new technology as early as possible so that the software can be thoroughly tested in an enterprise environment before general release to market. With virtualization, each service could now participate in different testing efforts and adopt new technology based on a timetable that suits its individual service requirements.

Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 3

The limitations of a single server with multiple technology requirements were resolved with the introduction of Hyper-V on branch-office servers running Windows Server 2008 R2. This enabled MSIT to isolate services into separate virtual machines, size resources to meet the service managers desired requirements, and give complete ownership of the virtual machines to the individual service management teams. Hyper-V was a key enabler in the service improvement plan to extend the range of user information that IntelliMirror helps secure. It also enabled MSIT to increase storage quotas. Desktop files and favorites were now added to the range of files that IntelliMirror helps secure, further improving disaster recovery capabilities. The lower cost of storage on the Hyper-V servers meant that minimum quotas could also be increased from 1.25 gigabytes (GB) per user to 3 GB per user, with the option for individuals to apply for quota increases on an as-needed basis up to 15 GB. A user warning system has also been established to alert users when their capacity utilization reaches 85 percent and 95 percent. The system provides a final alert when capacity utilization reaches 100 percent, at which point the ability to create additional content to the centralized data store is blocked. This helps users proactively manage their data and avoid problems related to managed folders. Although the rollout of branch-office virtualization was a separate project that brought a range of benefits to multiple services, it presented a good opportunity for the IntelliMirror service management team to take advantage of the new platform with little or no additional cost. Overall, virtualizing the service was a huge success for MSIT and mapped closely to the data centralization and management aspects of the IntelliMirror business requirements.

Folder Redirection
New and improved features available with Windows 7, particularly in the Folder Redirection and Offline Files areas, also enhanced the IntelliMirror service at the same time that Hyper-V was being deployed. Folder Redirection is one of the main features of IntelliMirror. This feature offers many benefits to users and administrators, such as having a copy of user data stored on a managed server that can be easily backed up as part of routine system administration task. It also enables a user to log on to different physical computers on the corporate network and still maintain access to his or her data via the server copy, which will replicate to the users current laptop or desktop computer. This is particularly useful in reducing the administration time and cost involved in upgrading a users computer or in recovering a users computer in the event of a disaster. A drawback of Folder Redirection before Windows 7 was a users first logon experience after he or she had signed up for the IntelliMirror service. For example, with the Windows Vista operating system, the user would experience delays during the first logon while all his or her local data was copied over the network to the server. To improve this experience in Windows 7, a user who has Offline Files enabled during deployment of IntelliMirror Folder Redirection will see a significantly improved first logon experience. This is because the data is moved from the local hard disk drive into a local cache, rather than being sent over the network.

Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 4

After the initial move to the cache is complete, the user can access his or her information normally, and locally cached data will be synchronized over the network to the server as a background task. This ability significantly improved end users service experience.

Offline Files and the Local Cache

Offline Files is the feature that maintains the local cached copy of network files and folders on the client computer, so that the cached files are available when there is no network connectivity. When the network connection to the file server is available again, changes made to the files while the user was working offline are automatically synchronized with the file server copy. The maximum amount of disk space allocated to the Offline Files cache is configurable through Group Policy in Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows 7 operating systems. By default, the size of the cache is 25 percent of the system volume free space when the cache is initialized. In certain circumstances, if a large amount of data is stored in the redirected folders, the local computer may not have enough disk space to put all the required information in the cache. In these circumstances, synchronization errors will occur and not all files will be accessible while the user is offline. In the Microsoft implementation, this does not happen because a default maximum size is set for the Offline Files cache.

Offline Files and Windows 7

The IntelliMirror implementation at Microsoft also benefitted greatly from changes in Windows 7. These were specifically: Usually Offline: The Usually Offline feature enables a user to always work from the cached copy while maintaining a synchronized view of the data between the client and the server. When a client network connection to a server is slow, Offline Files automatically transitions the client into an offline mode. The user then works from the locally cached version of the files. Although this feature is also available in Windows Vista, Windows 7 added the ability to automatically synchronize files in the background, at regular intervals, to reconcile any changes between the client and the server. This makes synchronization much more reliable. Ability to transition online automatically from offline mode: Before Windows 7, there was no mechanism to automatically transition a user computer back to an online state after the computer had moved into offline mode because of a slow network link. In Windows 7, the operating system detects when network conditions have improved and then transitions the computer back into online mode automatically. Support for offline directory renaming and deletion: By default, Windows 7 enables users to rename and delete directories while in offline mode. In Windows Vista Service Pack 1 (SP1), this functionality required a registry key. Before Windows Vista SP1, it was not possible to rename or delete directories that were created online while the users computer was offline by using the cached copy.

Offline Files and Operating Systems

The Offline Files feature is enabled by default on Windows Vista and on Windows 7 Professional, Enterprise, and Ultimate editions. However, at Microsoft, Offline Files is turned off by default for Windows Server operating systems, including computers running Windows

Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 5

Server 2008 R2. To enable Offline Files on Windows Server, an administrator must install and enable the Desktop Experience feature. Although it is possible to administratively enable Offline Files on server operating systems, MSIT did not consider this option for its implementation. Even though Microsoft has a large number of power users who choose to use a server operating system on their client computers, MSIT lets them decide whether to deploy this feature themselves.

Server Message Block Improvements

IntelliMirror uses SMB to provide a method for client computers to access files and services from server programs on the computer network. The original SMB protocol, also known as Common Internet File System (CIFS), evolved over time until Windows Vista and Windows Server 2008 were released. These releases introduced a redesigned version of the protocol, known as SMB 2.0. Two important limitations of SMB 1.0 are that it is very talkative in network terms and it lacks awareness of network latency, this in turn impacts the efficiency of network services like IntelliMirror. The SMB 1.0 protocol was not created with wide area network (WAN) or highlatency networks in mind. However the introduction of SMB 2.0 and 2.1 addressed these limitations and provided several improvements, including: Request compounding, allowing multiple SMB 2.0 requests to be sent as a single network request. Larger reads and writes to make better use of faster networks, even with high latency. Caching of folder and file properties, where clients keep local copies of folders and files. Durable handles to allow an SMB 2.0 connection to transparently reconnect to the server in the event of a temporary disconnection. Improved message signing with changes to the Hash-based Message Authentication Code (HMAC) where SHA-256 replaced MD5 as the hashing algorithm giving improved configuration and interoperability. Improved scalability for file sharing (the number of users, shares, and open files per server has greatly increased).

All these changes combined have improved the end-user experience with IntelliMirror by making network usage faster and more reliable.

File Server Resource Manager

Improvements to File Server Resource Manager enabled the introduction of further changes to IntelliMirror. File Server Resource Manager is a suite of tools that enable administrators to understand, control, and manage the quantity and type of data stored on computers running Windows Server. By using File Server Resource Manager, administrators can place quotas on volumes, actively screen files and folders, and generate comprehensive storage reports. This set of advanced tools not only helps the administrator to efficiently monitor existing storage resources, but also aids in the planning and implementation of future policy changes.

Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 6

Windows Server 2008 R2 supports File Server Resource Manager on all server installation options, including Server Core, although at Microsoft, the IntelliMirror virtual machines sit on a full version of Windows Server 2008 R2 with the standard graphical user interface (GUI).

Recovery
A combination of Volume Shadow Copy Service (VSS) and Microsoft System Center Data Protection Manager (DPM) 2010 provides the recovery options for the IntelliMirror service. Although this was not specifically changed as part of this project, it is important to mention here to complete the service picture. VSS for shared folders is a feature in Windows Server that transparently maintains previous versions of files on selected volumes by producing shadow copies. It works by taking snapshots of an entire volume at particular points and making these snapshots available to the user in a simple-to-use interface. This helps reduce IT operational costs by eliminating the need for administrator intervention in the recovery process. VSS enables the users themselves to have complete control over the recovery process for deleted, modified, or corrupted files from a snapshot of the volume. At Microsoft, administrators use DPM in combination with VSS to provide a total recovery solution. DPM produces the backup copies of user data. It delivers continuous data protection for compatible applications and file servers by using seamlessly integrated disk, tape, or cloud storage as a backup target. To do this, DPM invokes VSS to create a one-time full replica of the data it will help protect, followed by incremental synchronizations (recovery points) that by default are scheduled to occur every 15 minutes. For IntelliMirror, DPM provides a near-continuous data protection (near CDP) model for file servers where content is backed up on a 15-minute schedule.

BitLocker
A big step toward rounding off security requirements for IntelliMirror was the introduction of BitLocker Drive Encryption in the Windows Vista and Windows 7 deployments. Like HyperV, the implementation of BitLocker was a separate but complementary project that added value to IntelliMirror. Enabling BitLocker protection on all mobile and desktop computers is a high priority for Microsoft. BitLocker helps keep everything from documents to passwords safer by encrypting the entire drive that the Windows operating system and user data reside on. A large portion of the Microsoft workforce is mobile, which makes technologies like IntelliMirror an attractive proposition because it provides security for user data on a centralized infrastructure while still being portable. However, the copy of confidential Microsoft and customer information available on client computers is particularly vulnerable to loss or theft. The adoption of data encryption strategies such as BitLocker is therefore critical to help protect the data on corporate portable and desktop computers. BitLocker is part of a defensein-depth strategy that Microsoft enforces on all client computers. This strategy also includes the use of mandatory antivirus, firewall, and antispyware software. Although this technology is not specifically part of the core IntelliMirror service, its implementation helps address the data protection and portability aspects of the service.

Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 7

Taking advantage of opportunities from technology deployments by other service teams, such as BitLocker, has improved the security for IntelliMirror users with no additional administration overhead for the IntelliMirror service management team.

Future Developments
The MSIT IntelliMirror service management team is now researching a storage reduction feature, known as "Dedup," After MSIT identifies the requirements and features that can add the most value to the IntelliMirror service, it will set up a test environment in the Microsoft infrastructure to validate the scenarios and establish a new service improvement plan. Also, in partnership with the branch-office services team, the IntelliMirror service management team is introducing failover clusters to large branch offices (those that have more than 3,000 users) to provide high availability in these locations. Part of Windows Server 2008 R2, failover clusters can scale to include 16 servers (nodes) in a single cluster by using a shared storage back end with support for Serial Attached SCSI (SAS), Internet SCSI (iSCSI), or Fiber Channel interconnects. Initially, MSIT plans to use two-node clusters in its large branch offices. The nodes maintain constant communication with each other to help ensure service availability. If one of the nodes in a cluster becomes unavailable because of an unscheduled or scheduled failure, another node immediately begins to provide service. Users who are accessing a service that has moved from one cluster node to another because of failure or another service-affecting outage will typically not notice any service impact and will continue to work without issue. Finally, the IntelliMirror service management team, like many of commercial customers of Microsoft, is evaluating the Windows Azure cloud platform to establish whether it can offer an alternative solution for the DPM requirements in IntelliMirror. The IntelliMirror service management team sees the flexibility of Windows Azure as an opportunity to meet growing user demand for the service by making the right resources available when and where they are needed. The first stage of the move toward the cloud is already underway. Initially, IntelliMirror service management team plans to set up a pilot on selective IntelliMirror and DPM client servers by early 2011, to evaluate the benefits of on-premises versus the cloud for certain parts of the service.

Conclusion
The service improvement plan to adopt the new features available in the Windows 2008 R2 and Windows 7 operating systems surpassed the expectations of the IntelliMirror service management team. The project has enabled MSIT to add features to the service while continuing to reduce costs. By taking advantage of the existing Microsoft worldwide enterprise server infrastructure, MSIT has been able to increase the user base of the service while maintaining a low TCO. Depending on user counts, the monthly cost for each IntelliMirror user at Microsoft is approximately $2 US per month, which is considered a good return on investment for the benefits that it brings. This project, combined with the Hyper-V rollout in branch offices, has enabled the IntelliMirror service management team to produce a more dynamic product that can adapt easily to

Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 8

business needs. The IntelliMirror offering to the Microsoft internal user base has become a more valuable and attractive business resource as a result.

For More Information

For more information about how Windows Server 2008 R2 and Windows 7 features enhance the user experience of the IntelliMirror service, go to: http://technet.microsoft.com/en-us/library/bb742423.aspx#mainSection For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Center at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information through the World Wide Web, go to: http://www.microsoft.com http://www.microsoft.com/technet/itshowcase
2010 Microsoft Corporation. All rights reserved. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, BitLocker, Hyper-V, IntelliMirror, Windows, Windows Azure, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Improving the IntelliMirror Service at Microsoft Through Windows 7 and Windows Server 2008 R2 Page 9