Synchronizing SYSVOLs between multiple domain controllers
Note
The SYSVOL
directory is a special folder on an Active Directory domain controller that is used to store netlogon scripts and GPO definitions.
Today, there is no official support for a DFS-R mechanism in Samba based on Microsoft specifications.
Developments to achieve functionality are identified and priced. If you are interested in financing the functionality, contact us.
Tranquil IT has developed a method that achieves the same result as DFS-R to synchronize SYSVOL
between Samba-AD servers in the same domain.
SysvolSync is a solution to synchronize the SYSVOL
directory between two Samba Active Directory domain controllers.
It is not compatible with DFS-R.
The method that is presented below has been tested on Debian / RedHat8 and derived distributions.
Introducing the SysvolSync Utility
Note
SysvolSync is based on Syncthing, a very efficient synchronization tool. Syncthing can send notifications to an http url. SysvolSync receives and processes these notifications by triggering a samba-tool ntacl sysvolreset.
This method is not intended to be efficient because it resets the ACLs on the whole SYSVOL
tree.
Performance improvements are under study.
Licensing Copyright: Tranquil IT Systems, GPL v3.0.
The code can be downloaded from Tranquil IT’s Github space.
Packaging the SysvolSync Utility
Creating the SysvolSync package
# for 64-bit Debian
sudo apt-get install git python3-requests python3-lxml python3-ldap
git clone https://github.com/tranquilit/tis-sysvolsync
cd tis-sysvolsync/deb
sh createdeb.sh
ls tis-sysvolsync-*.deb
# for 64-bit RedHat8 and derived distributions
yum install rpm-build git python3-requests python3-lxml python3-ldap
git clone https://github.com/tranquilit/tis-sysvolsync
cd tis-sysvolsync/rpm
sh build.sh
ls *.rpm
Installing SysvolSync
Hint
Remember to install the tis-sysvolsync package on all your domain controllers before continuing the configuration because Syncthing connects to other DCs to exchange encryption keys.
# for 64-bit Debian
apt-get install python3-requests python3-lxml python3-ldap procps ldb-tools
dpkg -i tis-sysvolsync-*.deb
systemctl restart tis-sysvolsync
systemctl restart tis-sysvolacl
# for 64-bit RedHat8 and derived distributions
yum install tis-sysvolsync-*.rpm
systemctl enable tis-sysvolsync
systemctl enable tis-sysvolacl
systemctl restart tis-sysvolsync
systemctl restart tis-sysvolacl
Configuring the SysvolSync utility
Once SysvolSync is deployed on all the controllers in the domain, you can proceed with the configuration.
The configuration will require SSH authentication to exchange encryption keys:
/opt/tis-sysvolsync/sysvolsync.py configure
Note
The replication topology for SysvolSync is based on the one defined by the ntdsconnection objects of the KCC.
So if you have a star replication topology, then SysvolSync will have a star replication topology.