.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. |date| date:: .. meta:: :description: Synchronizing SYSVOLs between multiple domain controllers :keywords: SYSVOL, Debian, RedHat8 and derived distributions, Samba-AD, documentation, synchronization .. _samba_tis_sysvolsync: ######################################################### Synchronizing SYSVOLs between multiple domain controllers ######################################################### .. note:: The :file:`SYSVOL` directory is a special folder on an Active Directory domain controller that is used to store netlogon scripts and GPO definitions. Today, there is no official support for a DFS-R mechanism in Samba based on Microsoft specifications. Developments to achieve functionality are identified and priced. If you are interested in financing the functionality, :ref:`contact us `. Tranquil IT has developed a method that achieves the same result as DFS-R to synchronize :file:`SYSVOL` between Samba-AD servers in the same domain. :program:`SysvolSync` is a solution to synchronize the :file:`SYSVOL` directory between two Samba Active Directory domain controllers. It is not compatible with DFS-R. The method that is presented below has been tested on Debian10 / RedHat8 and derived distributions. ********************************** Introducing the SysvolSync Utility ********************************** .. note:: :program:`SysvolSync` is based on `Syncthing `_, a very efficient synchronization tool. :program:`Syncthing` can send notifications to an http url. :program:`SysvolSync` receives and processes these notifications by triggering a :command:`samba-tool ntacl sysvolreset`. This method is not intended to be efficient because it resets the :abbr:`ACLs (Access Control Lists)` on the whole :file:`SYSVOL` tree. Performance improvements are under study. Licensing Copyright: `Tranquil IT Systems `_, GPL v3.0. The code can be downloaded from `Tranquil IT’s Github space `_. ******************************** Packaging the SysvolSync Utility ******************************** Creating the SysvolSync package =============================== .. code-block:: bash # for 64-bit Debian10 sudo apt-get install git python-requests python-lxml python-ldap git clone https://github.com/tranquilit/tis-sysvolsync cd tis-sysvolsync/deb sh createdeb.sh ls tis-sysvolsync-*.deb # for 64-bit RedHat8 and derived distributions yum install rpm-build git python-requests python-lxml python-ldap git clone https://github.com/tranquilit/tis-sysvolsync cd tis-sysvolsync/rpm sh build.sh ls *.rpm Installing SysvolSync ===================== .. hint:: Remember to install the *tis-sysvolsync* package on all your domain controllers before continuing the configuration because :program:`Syncthing` connects to other DCs to exchange encryption keys. .. code-block:: bash # for 64-bit Debian10 apt-get install python-requests python-lxml python-ldap procps ldb-tools dpkg -i tis-sysvolsync-*.deb systemctl restart tis-sysvolsync systemctl restart tis-sysvolacl # for 64-bit RedHat8 and derived distributions yum install tis-sysvolsync-*.el7.redhat.x86_64.rpm systemctl enable tis-sysvolsync systemctl enable tis-sysvolacl systemctl restart tis-sysvolsync systemctl restart tis-sysvolacl Configuring the SysvolSync utility ---------------------------------- Once :program:`SysvolSync` is deployed on all the controllers in the domain, you can proceed with the configuration. The configuration will require SSH authentication to exchange encryption keys: .. code-block:: bash /opt/tis-sysvolsync/sysvolsync.py configure .. note:: The replication topology for :program:`SysvolSync` is based on the one defined by the *ntdsconnection* objects of the :abbr:`KCC (Knowledge Consistency Checker)`. So if you have a star replication topology, then :program:`SysvolSync` will have a star replication topology.