[Samba] SYSVOL replication (rsync/Unison): is samba-tool ntacl sysvolreset mandatory after each sync?
Elias Pereira
empbilly at gmail.com
Tue Dec 16 12:24:52 UTC 2025
Hi all,
We run Samba AD DCs in a multi-DC environment and replicate SYSVOL (GPOs,
scripts, and related files) using a SysVol replication workaround. We’ve
used rsync, and we are also evaluating the bidirectional rsync/Unison
approach (I understand Unison still relies on the rsync delta algorithm for
efficient transfers).
While reading past discussions and the SambaWiki guidance, I noticed a
recurring pattern: after a SYSVOL sync, samba-tool ntacl sysvolcheck may
start reporting ACL mismatches; samba-tool ntacl sysvolreset fixes them,
but in some cases the next replication (or the next RSAT/GPO edit) makes
the errors come back. Several threads point to root causes like
inconsistent ID mapping between DCs (idmap.ldb / xidNumber) and/or changes
to SYSVOL/NETLOGON permissions from Windows, and the wiki seems to frame
sysvolreset mainly as an initial/repair step (e.g., after joining a new DC)
rather than something that must run after every replication.
With each SYSVOL replication (GPOs, files, etc.), is it actually
necessary/mandatory to run samba-tool ntacl sysvolreset to “correct”
permissions?
--
Elias Pereira
More information about the samba
mailing list