Reference Link2: https://support.citrix.com/article/CTX22289
A file server must be available to host roaming user profiles.
If the file share uses DFS Namespaces, the DFS folders (links) must have a single target to prevent users from making conflicting edits on different servers.
If the file share uses DFS Replication to replicate the contents with another server, users must be able to access only the source server to prevent users from making conflicting edits on different servers.
If the file share is clustered, disable continuous availability on the file share to avoid performance issues.
If you decide to use Roaming User Profiles across multiple versions of Windows, we recommend taking the following actions:
Configure Windows to maintain separate profile versions for each operating system version. This helps prevent undesirable and unpredictable issues such as profile corruption.
Use Folder Redirection to store user files such as documents and pictures outside of user profiles. This enables the same files to be available to users across operating system versions. It also keeps profiles small and sign-ins quick.
Allocate sufficient storage for Roaming User Profiles. If you support two operating system versions, profiles will double in number (and thus total space consumed) because a separate profile is maintained for each operating system version.
Don't use Roaming User Profiles across computers running Windows Vista/Windows Server 2008 and Windows 7/Windows Server 2008 R2. Roaming between these operating system versions isn't supported due to incompatibilities in their profile versions.
Inform your users that changes made on one operating system version won't roam to another operating system version.
When moving your environment to a version of Windows that uses a different profile version (such as from Windows 10 to Windows 10, version 1607—see Appendix B: Profile version reference information for a list), users receive a new, empty roaming user profile. You can minimize the impact of getting a new profile by using Folder Redirection to redirect common folders. There isn't a supported method of migrating roaming user profiles from one profile version to another.
Enable the use of separate profile versions
If you are deploying Roaming User Profiles on computers running Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012, we recommend making a couple of changes to your Windows environment prior to deploying. These changes help ensure that future operating system upgrades go smoothly, and facilitate the ability to simultaneously run multiple versions of Windows with Roaming User Profiles.
To make these changes, use the following procedure.
Download and install the appropriate software update on all computers on which you're going to use roaming, mandatory, super-mandatory, or domain default profiles:
Windows 8.1, or Windows Server 2012 R2: install the software update described in article 2887595 in the Microsoft Knowledge Base (when released).
Windows 8 or Windows Server 2012: install the software update described in article 2887239 in the Microsoft Knowledge Base.
On all computers running Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 on which you will use Roaming User Profiles, use Registry Editor or Group Policy to create the following registry key DWORD Value and set it to 1. For information about creating registry keys by using Group Policy, see Configure a Registry Item. Copy HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProfSvc\Parameters\UseProfilePathExtensionVersion Warning Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Restart the computers.
Create a Roaming User Profiles security group
If your environment is not already set up with Roaming User Profiles, the first step is to create a security group that contains all users and/or computers to which you want to apply Roaming User Profiles policy settings.
Administrators of general-purpose roaming user profiles deployments typically create a security group for users.
Administrators of Remote Desktop Services or virtualized desktop deployments typically use a security group for users and the shared computers.
Here's how to create a security group for Roaming User Profiles:
Open Server Manager on a computer with Active Directory Administration Center installed.
On the Tools menu, select Active Directory Administration Center. Active Directory Administration Center appears.
Right-click the appropriate domain or OU, select New, and then select Group.
In the Create Group window, in the Group section, specify the following settings:
In Group name, type the name of the security group, for example: Roaming User Profiles Users and Computers.
In Group scope, select Security, and then select Global.
In the Members section, select Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.
If you want to include computer accounts in the security group, select Object Types, select the Computers check box and then select OK.
Type the names of the users, groups, and/or computers to which you want to deploy Roaming User Profiles, select OK, and then select OK again.
Create a file share for roaming user profiles
If you do not already have a separate file share for roaming user profiles (independent from any shares for redirected folders to prevent inadvertent caching of the roaming profile folder), use the following procedure to create a file share on a server running Windows Server.
Note Some functionality might differ or be unavailable depending on the version of Windows Server you're using.
Here's how to create a file share on Windows Server:
In the Server Manager navigation pane, select File and Storage Services, and then select Shares to display the Shares page.
In the Shares tile, select Tasks, and then select New Share. The New Share Wizard appears.
On the Select Profile page, select SMB Share – Quick. If you have File Server Resource Manager installed and are using folder management properties, instead select SMB Share - Advanced.
On the Share Location page, select the server and volume on which you want to create the share.
On the Share Name page, type a name for the share (for example, User Profiles$) in the Share name box. Tip When creating the share, hide the share by putting a $ after the share name. This hides the share from casual browsers.
On the Other Settings page, clear the Enable continuous availability checkbox, if present, and optionally select the Enable access-based enumeration and Encrypt data access checkboxes.
On the Permissions page, select Customize permissions…. The Advanced Security Settings dialog box appears.
Select Disable inheritance, and then select Convert inherited permissions into explicit permission on this object.
Set the permissions as described in Required permissions for the file share hosting roaming user profiles and shown in the following screen shot, removing permissions for unlisted groups and accounts, and adding special permissions to the Roaming User Profiles Users and Computers group that you created in Step 1.
If you chose the SMB Share - Advanced profile, on the Management Properties page, select the User Files Folder Usage value.
If you chose the SMB Share - Advanced profile, on the Quota page, optionally select a quota to apply to users of the share.
On the Confirmation page, select Create.
Required permissions for the file share hosting roaming user profiles
REQUIRED PERMISSIONS FOR THE FILE SHARE HOSTING ROAMING USER PROFILES
User Account Access Applies to
System Full control This folder, subfolders and files
Administrators Full Control This folder only
Creator/Owner Full Control Subfolders and files only
Security group of List folder / read data This folder only
users needing to put (Advanced permissions)
users needing to put Create folders / append
data on share(Roaming data (Advanced permissions)
User Profiles Users and
Other groups and accounts None (remove)
Tip7 : Optionally create a GPO for Roaming User Profiles
If you do not already have a GPO created for Roaming User Profiles settings, use the following procedure to create an empty GPO for use with Roaming User Profiles. This GPO allows you to configure Roaming User Profiles settings (such as primary computer support, which is discussed separately), and can also be used to enable Roaming User Profiles on computers, as is typically done when deploying in virtualized desktop environments or with Remote Desktop Services.
Here's how to create a GPO for Roaming User Profiles:
Open Server Manager on a computer with Group Policy Management installed.
From the Tools menu select Group Policy Management. Group Policy Management appears.
Right-click the domain or OU in which you want to setup Roaming User Profiles, then select Create a GPO in this domain, and Link it here.
In the New GPO dialog box, type a name for the GPO (for example, Roaming User Profile Settings), and then select OK.
Right-click the newly created GPO and then clear the Link Enabled checkbox. This prevents the GPO from being applied until you finish configuring it.
Select the GPO. In the Security Filtering section of the Scope tab, select Authenticated Users, and then select Remove to prevent the GPO from being applied to everyone.
In the Security Filtering section, select Add.
In the Select User, Computer, or Group dialog box, type the name of the security group you created in Step 1 (for example, Roaming User Profiles Users and Computers), and then select OK.
Select the Delegation tab, select Add, type Authenticated Users, select OK, and then select OK again to accept the default Read permissions. This step is necessary due to security changes made in MS16-072.
Due to the security changes made in MS16-072A, you now must give the Authenticated Users group delegated Read permissions to the GPO - otherwise the GPO won't get applied to users, or if it's already applied, the GPO is removed, redirecting user profiles back to the local PC. For more info, see Deploying Group Policy Security Update MS16-072.
Appendix A: Checklist for deploying Roaming User Profiles
APPENDIX A: CHECKLIST FOR DEPLOYING ROAMING USER PROFILESStatusAction☐ ☐ ☐ ☐ ☐1. Prepare domain - Join computers to domain - Enable the use of separate profile versions - Create user accounts - (Optional) Deploy Folder Redirection☐ 2. Create security group for Roaming User Profiles - Group name: - Members:☐ 3. Create a file share for Roaming User Profiles - File share name:☐ 4. Create a GPO for Roaming User Profiles - GPO name:☐5. Configure Roaming User Profiles policy settings☐ ☐ ☐6. Enable Roaming User Profiles - Enabled in AD DS on user accounts? - Enabled in Group Policy on computer accounts? ☐7. (Optional) Specify a mandatory Start layout for Windows 10 PCs☐ ☐ ☐ ☐8. (Optional) Enable primary computer support - Designate primary computers for users - Location of user and primary computer mappings: - (Optional) Enable primary computer support for Folder Redirection - Computer-based or User-based? - (Optional) Enable primary computer support for Roaming User Profiles☐9. Enable the Roaming User Profiles GPO☐10. Test Roaming User Profiles
Appendix B: Profile version reference information
Each profile has a profile version that corresponds roughly to the version of Windows on which the profile is used. For example, Windows 10, version 1703 and version 1607 both use the .V6 profile version. Microsoft creates a new profile version only when necessary to maintain compatibility, which is why not every version of Windows includes a new profile version.
The following table lists the location of Roaming User Profiles on various versions of Windows.
APPENDIX B: PROFILE VERSION REFERENCE INFORMATIONOperating system versionRoaming User Profile locationWindows XP and Windows Server 2003\\<servername>\<fileshare>\<username>Windows Vista and Windows Server 2008\\<servername>\<fileshare>\<username>.V2Windows 7 and Windows Server 2008 R2\\<servername>\<fileshare>\<username>.V2Windows 8 and Windows Server 2012\\<servername>\<fileshare>\<username>.V3 (after the software update and registry key are applied) \\<servername>\<fileshare>\<username>.V2 (before the software update and registry key are applied)Windows 8.1 and Windows Server 2012 R2\\<servername>\<fileshare>\<username>.V4 (after the software update and registry key are applied) \\<servername>\<fileshare>\<username>.V2 (before the software update and registry key are applied)Windows 10\\<servername>\<fileshare>\<username>.V5Windows 10, version 1703 and version 1607\\<servername>\<fileshare>\<username>.V6