Synchronizing SYSVOLs between multiple domain controllers

Note

The SYSVOL directory is a special folder on an Active Directory domain controller that is used to store netlogon scripts and GPO definitions.

Today, there is no official support for a DFS-R mechanism in Samba based on Microsoft specifications.

Developments to achieve functionality are identified and priced. If you are interested in financing the functionality, contact us.

Tranquil IT has developed a method that achieves the same result as DFS-R to synchronize SYSVOL between Samba-AD servers in the same domain.

SysvolSync is a solution to synchronize the SYSVOL directory between two Samba Active Directory domain controllers. It is not compatible with DFS-R.

The method that is presented below has been tested on Debian10 / RedHat8 and derived distributions.

Introducing the SysvolSync Utility

Note

SysvolSync is based on Syncthing, a very efficient synchronization tool. Syncthing can send notifications to an http url. SysvolSync receives and processes these notifications by triggering a samba-tool ntacl sysvolreset.

This method is not intended to be efficient because it resets the ACLs on the whole SYSVOL tree. Performance improvements are under study.

Licensing Copyright: Tranquil IT Systems, GPL v3.0.

The code can be downloaded from Tranquil IT’s Github space.

Packaging the SysvolSync Utility

Creating the SysvolSync package

# for 64-bit Debian10

sudo apt-get install git python-requests python-lxml python-ldap
git clone  https://github.com/tranquilit/tis-sysvolsync
cd tis-sysvolsync/deb
sh createdeb.sh
ls tis-sysvolsync-*.deb

# for 64-bit RedHat8 and derived distributions

yum install rpm-build git python-requests python-lxml python-ldap
git clone  https://github.com/tranquilit/tis-sysvolsync
cd tis-sysvolsync/rpm
sh build.sh
ls *.rpm

Installing SysvolSync

Hint

Remember to install the tis-sysvolsync package on all your domain controllers before continuing the configuration because Syncthing connects to other DCs to exchange encryption keys.

# for 64-bit Debian10

apt-get install python-requests python-lxml python-ldap procps ldb-tools
dpkg -i tis-sysvolsync-*.deb
systemctl restart tis-sysvolsync
systemctl restart tis-sysvolacl

# for 64-bit RedHat8 and derived distributions

yum install tis-sysvolsync-*.el7.redhat.x86_64.rpm
systemctl enable tis-sysvolsync
systemctl enable tis-sysvolacl
systemctl restart tis-sysvolsync
systemctl restart tis-sysvolacl

Configuring the SysvolSync utility

Once SysvolSync is deployed on all the controllers in the domain, you can proceed with the configuration.

The configuration will require SSH authentication to exchange encryption keys:

/opt/tis-sysvolsync/sysvolsync.py configure

Note

The replication topology for SysvolSync is based on the one defined by the ntdsconnection objects of the KCC.

So if you have a star replication topology, then SysvolSync will have a star replication topology.