[Samba] Sysvol replication with Unison for more than 2 server.

L.P.H. van Belle belle at bazuin.nl
Fri Oct 3 01:16:07 MDT 2014 

This idmap copy is really not needed IF you only use sysvol on the DC. 
and you obey the following. 

1) You set you GPO as user Administrator
2) or if an other user you use, is member of "Domain\Domain Admins" ( but i did not test this )

The build-in group sid is the same on all servers. 
Administrators should be "SID: S-1-5-32-544" ...always. 

http://support2.microsoft.com/kb/243330

SID: S-1-5-32-544
Name: Administrators
Description: A built-in group. 
After the initial installation of the operating system, the only member of the group is the Administrator account. 
When a computer joins a domain, the Domain Admins group is added to the Administrators group. 
When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.



All above does not work if you add you own groups etc on sysvol. 
I only use the defaults on it and i add user to the needed groups. 
If a "Admin2user" adds this to gpo of sysvol, yes then this user can have problems with IDMAP and RIDs. 
then a copy of idmap is needed.

I overcome the sid/xid/rid problems by using only Administrator on the GPO/Sysvol work. 

Louis


>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 2 oktober 2014 19:08
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Sysvol replication with Unison for more 
>than 2 server.
>
>On 02/10/14 16:26, Min Wai Chan wrote:
>> Dear Louis,
>>
>> Just to check...
>> Would it be possible to have more than 2 DC using Unison to sync?
>>
>> I was trying to make this to the samba wiki.
>>
>> But when reading the list I see Rowland talking about the 
>SID and RID 
>> issue
>> Because of built-in group SID is not sync across domain.
>
>Ahh, I dropped a right clanger there, when I said SID I meant RID, it 
>would seem that when you join a DC to a domain, idmap.ldb does not get 
>replicated to the new DC and so the RID's could be and probably are 
>different. This is not really a problem, just copy idmap.ldb from the 
>original DC to the new one.
>
>Rowland
>
>>
>> Which I think samba should have their own way of dealing this or it 
>> will just be a mess in a long run.
>>
>> Did we have any trick to deal with this built-in group 
>UID/RID temporary?
>>
>> I remember saw something like io notice/fam to monitor the 
>sysvol and 
>> trigger unison when change happen.
>>
>> but I'm not sure how it would help when you have more than 3 
>server...
>>
>> Regards,
>> Min Wai
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list