SysVol replication (DFS-R): Difference between revisions
From SambaWiki
m (Added information about idmap.ldb sync frequency) |
NerdyGriffin (talk | contribs) (I copied over instructions about idmap.ldb from the "Joining_a_Samba_DC_to_an_Existing_Active_Directory" page, since they are a prerequisite for using the sysvol replication workarounds.) |
||
| Line 15: | Line 15: | ||
To use a Sysvol Replication workaround, all domain controllers (DC) must use the same ID mappings for built-in users and groups. |
|||
By default, a Samba DC stores the user & group IDs in 'xidNumber' attributes in 'idmap.ldb'. Because of the way 'idmap.ldb' works, you cannot guarantee that each DC will use the same ID for a given user or group. To ensure that you do use the same IDs, you must: |
|||
* Create a hot-backup of the <code>/usr/local/samba/private/idmap.ldb</code> file on the existing DC: |
|||
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb |
|||
: This creates a backup file <code>/usr/local/samba/private/idmap.ldb.bak</code>. |
|||
* Move the backup file to the <code>/usr/local/samba/private/</code> folder on the new joined DC and remove the <code>.bak</code> suffix to replace the existing file. |
|||
* Run <code>net cache flush</code> on the new DC. |
|||
* You will now need to sync Sysvol to the new DC. |
|||
* Reset the Sysvol folder's file system access control lists (ACL) on the new DC: |
|||
# samba-tool ntacl sysvolreset |
|||
Latest revision as of 17:21, 19 October 2024
Samba in its current state doesn't support SysVol replication via DFS-R (Distributed File System Replication) or the older FRS (File Replication Service) used in Windows Server 2000/2003 for Sysvol replication.
We Currently advise administrators to use one of the following workarounds:
- Rsync based SysVol replication workaround (Samba DCs only): Quick setup, easy to configure.
- Bidirectional Rsync/Unison based SysVol replication workaround (Samba DCs only): More complex, requires third party script, each DC requires a cron job against each other DC
- Bidirectional Rsync/osync based SysVol replication workaround (Samba DCs only): More complex, requires third party script, each DC requires a cron job against each other DC
- Robocopy based SysVol replication workaround (Samba DCs -> Windows DCs): Quick set, easy to configure, uses MS robocopy
 | You need to sync idmap.ldb from the DC holding the PDC_Emulator FSMO role to all other DCS. This ensures that all DCs will use the same IDs. If you do not sync idmap.ldb, you can and will get different IDs on each DC. You need to sync idmap.ldb when you first join a new DC and then regularly, to ensure the IDs remain constant, you do not need to sync idmap.ldb every time you sync SysVol but as stated in the mailing list it should be done periodically. |
To use a Sysvol Replication workaround, all domain controllers (DC) must use the same ID mappings for built-in users and groups.
By default, a Samba DC stores the user & group IDs in 'xidNumber' attributes in 'idmap.ldb'. Because of the way 'idmap.ldb' works, you cannot guarantee that each DC will use the same ID for a given user or group. To ensure that you do use the same IDs, you must:
- Create a hot-backup of the
/usr/local/samba/private/idmap.ldbfile on the existing DC:
# tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
- This creates a backup file
/usr/local/samba/private/idmap.ldb.bak.
- Move the backup file to the
/usr/local/samba/private/folder on the new joined DC and remove the.baksuffix to replace the existing file.
- Run
net cache flushon the new DC.
- You will now need to sync Sysvol to the new DC.
- Reset the Sysvol folder's file system access control lists (ACL) on the new DC:
# samba-tool ntacl sysvolreset