Seeking Cost-Effective Backup Solution with File Versioning for Windows AD Environment

I have a Windows Active Directory environment (Server 2019) with around 15–17 users.

Each user has access to a shared drive called “Common Share” and a personal shared folder (named after their username) for storing personal or work-related data.

I attempted to redirect user folders like Downloads, Documents, and Desktop to their respective AD-mapped drives, but it didn’t work well.

I’m now looking for a backup solution with built-in file versioning.

I’m considering installing Syncthing on all machines to sync data to another Proxmox server VM, which will then back up to Sharepoint OneDrive as a cloud backup(encrypted).

This seems like a cost-effective option, but I’m open to better alternatives if there are any

I’ve always used redirected folders via Group Policy and VSS on the storage server without any issues. Are you able to share the GP config?

Roaming profiles or regular profiles? With roaming profiles I’ve had really good luck with redirected folders, done through gpo.

Frankly speaking, my AD was set up by a third-party vendor, as I’m not very proficient in it. After you mentioned VSS, I searched through my AD and found that VSS is already set up. However, the real issue seems to be with the profile.

What I might need is Roaming Profiles, as I want all my users’ data (including folders like Desktop and Downloads) to be stored in AD.

Currently, there’s a GPO in my AD for folder redirection, but I’m not entirely sure where to find the specific settings. If you could assist me a bit, I’d be happy to share a screenshot of the AD configuration.

What I need is Roaming Profiles, but there seems to be an issue with the profile creation, and the Roaming Profiles are not working properly. I’m not sure how to fix this. Right now, some of my profiles are local, and others are not. I’m unsure how to convert all of them to Roaming Profiles.

Generally I wouldn’t use roaming profiles unless I was running a RDS cluster where a user could be logging into multiple RDS/terminal servers and using applications that required it.

If your users are logging into PCs and you are looking to just have copies of files from their Desktop/Documents folder, etc, I would just use folder redirection. This is native to group policy.

This link might help you. Configure Folder Redirection with Group Policy on Windows Server | Microsoft Learn

If you need further help feel free to ping me on LinkedIn. We could setup a Zoom meeting.

Thanks for the link. I realized that some users were not members of this policy, so I’ve added these users to the Folder Redirection policy. I have one more question: Currently, VSS backups are being done to our other local backup server, which is incremental. I know this server supports file versioning, but how can I set up a daily backup to OneDrive? At the moment I have Business Basic license. I can purchase a specific license just for backup purposes if needed. Also, how should I encrypt the backup by default when it is uploaded to OneDrive?

Regarding Folder Redirection: Let’s say I have User X. I can see their profile data on my server but cannot access it. When taking a VSS backup, how much of the Folder Redirection data will be backed up? Additionally, I’d like to keep all versions of files, regardless of how old they get. Can I do that?

Not sure why you would want to save server backups to OneDrive. You would run out of space pretty quickly. I would look at something like Backblaze to backup your servers offsite.

If you want versioning saved you need to make sure whatever backup solution you use supports VSS.

Maybe these two links will help:

I use roaming profiles because my students will be logging into many different computers during a week, saves a lot of bandwidth moving profiles from one local computer to another local computer. Was a big deal back when we only had a 100mbps network. Might not be such an issue now that I’m redirecting the folders for almost everything.

Check out FSLogix. Works well in an RDS farm. And from my experience, far fewer issues than the traditional AD Roaming Profile setup.

FSlogix looks interesting, I’ll have to read up on it for a future change we want to make to storage utilization.

The main reason I’m leaning towards OneDrive is that I just need a simple way to back up files. For Server, I do a full backup, keep one copy locally, and store another on OneDrive. So really, all I need from the backup solution is to keep our files safe.

Even with around 15–17 users, our total backup size is only about 200–300 GB. We’re mostly dealing with documents and PDFs—nothing too large or complex. We used to run some software on a local Hyper-V VM, but since the vendor moved everything to the cloud, that’s no longer something I need to worry about.

What I do have to stay on top of is the files and documents our users create and store. That’s also why I asked about file versioning. We had a situation where an employee left and, before going, locked all the important Excel files with passwords. Luckily, another team member had copies, so we avoided a big problem.

Hmmm… the employee locking files is a problem. I’d have to think about that a bit, seems you need something with a little granularity in the permissions to prevent employees from doing this.

Also note that locking the files could be a crime in some areas of the world. You are paid to produce these things, and the company owns whatever you produce.

How much data are we talking about for these files? Seems like a small file share that you can replicate to a second or third would do the work.

Or maybe use Microsoft Sharepoint and turn on file versioning, limit access to certain people to be able to roll a version back or delete a file. Do things like Nextcloud allow versioning of files too? You could force them into a GIT repo where only certain people can delete or roll back files too.

You might look into permissions on these excel files, you should be able to have “someone” create the file and set permissions so that users can only change the data. Turn on versioning so that you can roll it back, and when they are going to fire someone, turn off their account before they enter the building. You can “break” remote access for a few days before if the boss thinks something is going to happen. But in short, make sure the workers do no “own” the excel files if they are really important to the work being done. It’s not iron clad, there is always a way around these protections, but it’s a start.

Frankly speaking, I didn’t calculate that either. And yes, you are correct that a small file share would work, and that’s what I currently do. After communicating with you all, I realized there are a few things that were already in place, but I hadn’t fully noticed them—like the VSS backup being taken to my other local server every night and the file versioning system.

Now, regarding Microsoft Excel, I approached this a bit differently. I recently migrated most of my systems to Windows 11, and instead of installing the Microsoft Office suite, I’ve been installing LibreOffice. Most employees are more familiar with using the Microsoft suite for tasks like adding passwords, but not as much with LibreOffice. While I agree that it’s easier for them to search and manage things in LibreOffice too, I think that will be a rare issue here.

Also, I hadn’t tried doing this with Nextcloud, but if I decide to configure it, I’d need to implement some locks or controls to prevent employees from opening nextcloud client on their client devices. The same concern applies to syncing as well.

I also agree with the SharePoint idea, but I’m wary because everyone seems to be rushing towards AI and training their models by using customer data from various sources. I don’t want that to happen with us.

Additionally, this is a manufacturing plant, so there’s no real need for AI at this point in time.

That’s why, from the beginning, I’ve been looking to store my backups encrypted in the cloud.

Maybe I’m thinking a bit old school, but this is the approach I prefer for now.

Having VSS backup’s file versioning definitely helps in situations where someone puts a password on a file. Even if a password is added, there will still be an initial unencrypted copy. The backup happens nightly, so if a password is added on the same day, the backup file will also be encrypted.

Also, regarding the laws—yes, there are laws, but sometimes for a company to retrieve its own data through legal processes takes time. That’s their own data, and they’ve paid employees to handle that work. So, I believe it would be better if we could have something in place that eliminates these kinds of delays. That’s just my perspective.

Yes, I agree. I already have VSS in place. I’ve addressed some of my concerns in the reply below. Regarding the VEEAM backup, we have around 15-17 users, so we’re already exceeding the limits for that. However, I do use it to take an offline copy of our SharePoint locally at our site. I only have 9 licenses, and it works great for me.

If you aren’t a Microsoft office place, then those tips may not apply. I’ve never looked into versioning a shared file with Open/Libre, something I should look into since that’s what I use for myself.

I’ll think about this a little more over the weekend.

Hey, I thought of one more option. I know it may not look ideal, but what if I take another offsite backup using VSS? I will run a small VM on Proxmox with sufficient storage. The only thing I’m concerned about is whether I should use the WireGuard VPN that I have on-site, or use Tailscale for the backup. Let me know your thoughts.