[Samba] Syncing Sysvol

Jonathon Reinhart jonathon.reinhart at gmail.com
Wed Jul 17 12:31:30 UTC 2019

On Wed, Jul 17, 2019 at 8:16 AM Rowland penny via samba
<samba at lists.samba.org> wrote:
> On 17/07/2019 13:02, Jonathon Reinhart wrote:
> > I have the [Sysvol] share in smb.conf marked "read only = yes". That
> > way, if someone connects GPO Editor to a DC other than the PDC
> > Emulator, it will fail to write the changes, thus enforcing the "GPOs
> > are only edited on the PDC Emulator DC". This is acceptable in a small
> > organization; YMMV.
> If Sysvol is 'read only' it is not writable by anything.

While I stated it a couple times previously, I worded it in a
misleading way this last time. Let me try to clear it up:

The [Sysvol] samba share is writable on the PDC Emulator. If GPO
Editor uses the default behavior and connects to PDC Emulator, all is

The [Sysvol] samba share is read-only on all non-PDC-Emulator DCs. If
GPO Editor connects to a non-PDC-Emulator DC and tries to make a
change, it will fail as expected.

Our Sysvol-sync scripts (running on non-PDC-Emulator DCs) are writing
to the underlying directory (/var/lib/samba/sysvol on Debian).
Certainly the underlying kernel/filesystem do not care what Samba
thinks about the read-only share pointing at that directory.

> >
> >> This wasn't what I was getting at though. If Sysvol on the PDC Emulator
> >> is updated and all other DC's are watching for updates, it is very
> >> possible that they will all try to update their Sysvol at the same time.
> > Ah, I see. Is this an actual performance problem, or are we
> > prematurely optimizing? :-)
> Probably both, I have see reports on here of domains with 20 DC's, image
> 19 DC's trying to download exactly the same files all at once.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list