How to Set Up Work Folder Sync with AD Integration on Windows Server 2019

Introduction to Work Folders

Work Folders is a Windows Server role service that allows users to synchronize a folder on a central file server to their Windows devices—similar to a corporate Dropbox, but managed entirely on-premises. Unlike traditional offline files, Work Folders works through HTTPS on port 443, making it accessible from both domain-joined machines and personal devices outside the corporate network. Integration with Active Directory provides automatic server discovery via DNS SRV records and allows server-side policy to enforce encryption and lock screen requirements. Windows Server 2019 includes a fully mature Work Folders implementation with improved sync performance and AD-based policy enforcement.

Prerequisites

# Work Folders server requirements:
# - Windows Server 2019 member server
# - SSL certificate for the Work Folders URL (HTTPS required)
# - Sufficient disk storage for all user sync shares
# - IIS (installed automatically with the Work Folders role)

# Install the Work Folders role
Install-WindowsFeature -Name FS-SyncShareService -IncludeManagementTools

# Verify role installation
Get-WindowsFeature FS-SyncShareService

# Install the IIS management tools (needed for HTTPS binding management)
Install-WindowsFeature -Name Web-Server, Web-Mgmt-Console -IncludeManagementTools

Step 1: Configure the SSL Certificate

Work Folders uses HTTPS exclusively. Request a certificate for the Work Folders FQDN from the internal CA:

# Request a certificate from the internal CA for workfolders.corp.local
$cert = Get-Certificate `
    -Template 'WebServer' `
    -CertStoreLocation 'Cert:LocalMachineMy' `
    -SubjectName 'CN=workfolders.corp.local' `
    -DnsName 'workfolders.corp.local','workfolders'

$certThumb = $cert.Certificate.Thumbprint

# Bind the certificate to the Work Folders IIS site (port 443)
New-WebBinding -Name 'Work Folders' -Protocol https -Port 443 -SslFlags 0
(Get-WebBinding -Name 'Work Folders' -Protocol https).AddSslCertificate($certThumb, 'My')

# Or bind via netsh
# netsh http add sslcert ipport=0.0.0.0:443 certhash=$certThumb appid='{application-guid}'

# Verify the binding
Get-WebBinding | Where-Object { $_.bindingInformation -like '*:443:*' }

# Open firewall for Work Folders
New-NetFirewallRule -DisplayName 'Work Folders HTTPS' `
    -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow

Step 2: Configure Sync Shares

A Sync Share maps a file server folder to user home directories that will be synchronized. Each user gets a subfolder automatically created for their user data:

# Create the base directory for user data
New-Item -Path 'D:WorkFolders' -ItemType Directory -Force

# Set NTFS permissions on the base directory
$acl = Get-Acl 'D:WorkFolders'
$acl.SetAccessRuleProtection($true, $false)

# Grant full control to SYSTEM and Administrators
$systemRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    'SYSTEM', 'FullControl', 'ContainerInherit,ObjectInherit', 'None', 'Allow'
)
$adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    'BUILTINAdministrators', 'FullControl', 'ContainerInherit,ObjectInherit', 'None', 'Allow'
)
$acl.AddAccessRule($systemRule)
$acl.AddAccessRule($adminRule)
Set-Acl 'D:WorkFolders' $acl

# Create a Sync Share for all domain users
New-SyncShare -Name 'UserData' `
    -Path 'D:WorkFolders' `
    -UserFolderName 'samaccountname' `
    -User 'CORPDomain Users' `
    -Description 'Corporate Work Folders sync share' `
    -InheritedFolderPermissions $true

# Create a Sync Share for a specific department only
New-SyncShare -Name 'FinanceData' `
    -Path 'D:WorkFoldersFinance' `
    -UserFolderName 'samaccountname' `
    -User 'CORPFinance-Users' `
    -Description 'Finance department Work Folders'

# Verify sync shares
Get-SyncShare | Select-Object Name, Path, UserFolderName, Enabled

Step 3: Configure AD-Based Policy

Work Folders can enforce client-side policies via Active Directory attributes and Group Policy, including requiring device encryption and lock screens before synchronization is allowed:

# Set Work Folders security policies on the sync share
Set-SyncShare -Name 'UserData' `
    -RequireEncryption $true `
    -RequirePasswordAutoLock $true `
    -PasswordAutoLockDelay 15 `
    -MaxUploadFile 10GB

# Verify policies
Get-SyncShare -Name 'UserData' | 
    Select-Object Name, RequireEncryption, RequirePasswordAutoLock, PasswordAutoLockDelay

# Configure Work Folders discovery via DNS SRV record
# This allows clients to auto-discover the Work Folders server by email address
# Add the following DNS SRV record to your DNS zone:
# _workfolders._tcp.corp.local  SRV  0 0 443  workfolders.corp.local

Add-DnsServerResourceRecord -ZoneName 'corp.local' `
    -Name '_workfolders._tcp' `
    -Srv `
    -DomainName 'workfolders.corp.local.' `
    -Priority 0 `
    -Weight 0 `
    -Port 443

# Verify DNS record
Resolve-DnsName -Name '_workfolders._tcp.corp.local' -Type SRV

Step 4: Configure Group Policy for Automatic Work Folders Setup

# Create a GPO that auto-configures Work Folders on domain-joined Windows 10/11 clients
$gpo = New-GPO -Name 'Deploy Work Folders'
New-GPLink -Name 'Deploy Work Folders' -Target 'OU=Workstations,DC=corp,DC=local'

# Configure the Work Folders URL via Group Policy
Set-GPRegistryValue -Name 'Deploy Work Folders' `
    -Key 'HKCUSOFTWAREPoliciesMicrosoftWindowsWorkFolders' `
    -ValueName 'AutoProvision' `
    -Type DWord -Value 1

Set-GPRegistryValue -Name 'Deploy Work Folders' `
    -Key 'HKCUSOFTWAREPoliciesMicrosoftWindowsWorkFolders' `
    -ValueName 'ServerUrl' `
    -Type String -Value 'https://workfolders.corp.local'

# GPO path in UI:
# User Configuration > Administrative Templates > Windows Components > Work Folders
# Specify Work Folders settings:
#   Work Folders URL: https://workfolders.corp.local
#   Force automatic setup: Enabled

# Prevent users from changing the Work Folders location
Set-GPRegistryValue -Name 'Deploy Work Folders' `
    -Key 'HKCUSOFTWAREPoliciesMicrosoftWindowsWorkFolders' `
    -ValueName 'ForcedLocalFolderPath' `
    -Type String -Value '%USERPROFILE%Work Folders'

Step 5: AD Integration for Dynamic Server Assignment

In multi-server Work Folders deployments, you can use AD attributes to assign users to specific sync servers based on department, location, or other criteria:

# Set the msDS-SyncServerUrl attribute on user accounts to point to specific servers
# This overrides the auto-discovery and sends specific users to specific servers

$londonUsers = Get-ADUser -Filter * -SearchBase 'OU=London,OU=Employees,DC=corp,DC=local'
foreach ($user in $londonUsers) {
    Set-ADUser -Identity $user -Replace @{
        'msDS-SyncServerUrl' = 'https://workfolders-london.corp.local'
    }
    Write-Output "Assigned $($user.SamAccountName) to London Work Folders server"
}

$dallasUsers = Get-ADUser -Filter * -SearchBase 'OU=Dallas,OU=Employees,DC=corp,DC=local'
foreach ($user in $dallasUsers) {
    Set-ADUser -Identity $user -Replace @{
        'msDS-SyncServerUrl' = 'https://workfolders.corp.local'
    }
}

# Verify the attribute is set
Get-ADUser -Identity 'jsmith' -Properties 'msDS-SyncServerUrl' |
    Select-Object SamAccountName, 'msDS-SyncServerUrl'

Monitoring and Managing Sync

# View current sync share status
Get-SyncShare | Select-Object Name, Path, Enabled, CurrentUserCount

# View all active user sync sessions
Get-SyncUserSession | Select-Object UserName, DeviceId, DeviceType, 
    LastSyncTime, SyncStatus, FilesInPending

# Get details for a specific user's sync status
Get-SyncUserSession -UserName 'CORPjsmith' | Format-List

# Suspend sync for a user (e.g., when offboarding)
Suspend-SyncUser -SyncShareName 'UserData' -UserName 'CORPjsmith'

# Disconnect a specific device
Disconnect-SyncDevice -DeviceId 'device-guid-here' -SyncShareName 'UserData' -Force

# Check the Work Folders event log
Get-WinEvent -LogName 'Microsoft-Windows-SyncShare/Operational' -MaxEvents 50 |
    Where-Object { $_.LevelDisplayName -in 'Error','Warning' } |
    Select-Object TimeCreated, Id, Message

# Monitor sync share disk usage
Get-ChildItem 'D:WorkFolders' -Directory | ForEach-Object {
    $size = (Get-ChildItem $_.FullName -Recurse -File | Measure-Object Length -Sum).Sum
    [PSCustomObject]@{
        User   = $_.Name
        SizeGB = [math]::Round($size / 1GB, 3)
    }
} | Sort-Object SizeGB -Descending | Select-Object -First 20

Backup and Recovery

# Work Folders supports VSS snapshots for point-in-time recovery
# Enable shadow copies on the Work Folders volume
vssadmin add shadowstorage /for=D: /on=D: /maxsize=20%

# Schedule hourly shadow copies
$task = New-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'vssadmin.exe' `
    -Argument 'create shadow /for=D:') `
    -Trigger (New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Hours 1) `
    -Once -At (Get-Date)) `
    -Settings (New-ScheduledTaskSettingsSet)
Register-ScheduledTask -TaskName 'VSS Shadow Copies for Work Folders' -InputObject $task

# View shadow copies
vssadmin list shadows /for=D:

# Clients can right-click a file in their Work Folders and select "Previous Versions"
# to restore from shadow copies

Conclusion

Work Folders on Windows Server 2019 with AD integration provides a fully on-premises, enterprise-managed file synchronization solution that works from any location over HTTPS. DNS SRV auto-discovery removes the burden of manual client configuration, AD attribute-based server assignment allows scaling to multiple regional servers, Group Policy automates deployment, and sync policies enforce encryption and lock screens for data protection. For organizations that cannot or choose not to use cloud storage services, Work Folders delivers the critical sync-anywhere user experience under full IT control.