Sysvol replication + GPOs in Samba4

Kenneth MacDonald K.MacDonald at
Wed Jan 24 23:23:36 GMT 2007

>>>>> "pawo2000" == pawo2000  <pawo2000 at> writes:

    >> GPO support remains one of our longer term goals: everybody
    >> tells us it 'it not too hard', but we haven't spent any time on
    >> it yet.
    >> File replication is likewise in that category, but we can
    >> probably get away with using CIFS for the pull side.

    pawo2000> OK. If people say 'it is not too hard' then I would like
    pawo2000> to take my chances and at least try to add a group
    pawo2000> policy support (IMHO the implementation of SYSVOL
    pawo2000> replication doesn't make sense if a group policy is not
    pawo2000> supported at all). And please don't laugh at me - I know
    pawo2000> the implementation may take several months. I don't
    pawo2000> think I can handle that alone, without your support and
    pawo2000> your contribution, so expect a lot of my questions.

    pawo2000> What I already know about group policy is it depends on
    pawo2000> working LDAP, DNS, SMB and RPC services. At least a
    pawo2000> client machines (group policy engines) use these
    pawo2000> services to identify, download and apply GPOs.

    pawo2000> LDAP stores information about sites, domains, OUs and
    pawo2000> applied GPOs. DNS is mainly used to locate a DC. SMB is
    pawo2000> used to browse SYSVOL and download appropriate group
    pawo2000> policies to the client. It looks like group policies are
    pawo2000> always pulled by the client machine (never pushed by the
    pawo2000> server), but I'm not sure of it. There must be a way to
    pawo2000> force client machines to refresh loaded group polices.

    pawo2000> LDAP and DNS servers must contain some pieces of
    pawo2000> information and provide them to a client machine during
    pawo2000> its startup and logon to recognize required group
    pawo2000> polices. I hope a protocol sniffer is all what we need
    pawo2000> to identify a group-policy-related communication between
    pawo2000> a domain controller and a client machines.

    pawo2000> Anyway I'd like to know if the following features are
    pawo2000> already implemented: 1) Can I already access SYSVOL
    pawo2000> share? Is it accessible thru \\<domainname>\SYSVOL ?  2)
    pawo2000> Are LDAP and DNS servers integrated with Samba4 (contain
    pawo2000> AD related information)? If I recall correctly the
    pawo2000> Samba4 technology previews were fully functional AD
    pawo2000> domain controllers and were properly recognized by
    pawo2000> client machines. Is that correct?

There is no need to use packet sniffers, and attempt to reverse
engineer the GPO stuff since it's excellently documented.  Microsoft
have a few papers you must read.  They will answer your questions.

See the links at the end of our Wiki page ...

We currently have 2500 GPOs in our W2K3 domain.  Feel free to ask me
any questions on GPO innards.  The support on the server side is
really simple compared with the client side.



Desktop Services Team, EUCS.

University of Edinburgh, Scotland.

More information about the samba-technical mailing list