[Samba] SYSVOL replication (rsync/Unison): is samba-tool ntacl sysvolreset mandatory after each sync?
Elias Pereira
empbilly at gmail.com
Tue Dec 16 13:48:31 UTC 2025
I am synchronizing idmap.ldb. I even have a cron for that. And I know that
sysvolreset is necessary after synchronization.
But the question is about sysvol's rsync/unison, especially when I create
or modify a new GPO.
Whenever I need to do the above, and I run a sysvolcheck, I get an error.
Then I need to run a sysvolreset.
On Tue, Dec 16, 2025 at 10:44 AM Luis Peromarta via samba <
samba at lists.samba.org> wrote:
> You are probably not syncing ideal.ldb
>
> http://samba.bigbird.es/doku.php?id=samba:sync-idmap.ldb
>
> Let me know who you get on
> On Dec 16, 2025 at 12:26 +0000, Elias Pereira via samba <
> samba at lists.samba.org>, wrote:
> > Hi all,
> >
> > We run Samba AD DCs in a multi-DC environment and replicate SYSVOL (GPOs,
> > scripts, and related files) using a SysVol replication workaround. We’ve
> > used rsync, and we are also evaluating the bidirectional rsync/Unison
> > approach (I understand Unison still relies on the rsync delta algorithm
> for
> > efficient transfers).
> >
> > While reading past discussions and the SambaWiki guidance, I noticed a
> > recurring pattern: after a SYSVOL sync, samba-tool ntacl sysvolcheck may
> > start reporting ACL mismatches; samba-tool ntacl sysvolreset fixes them,
> > but in some cases the next replication (or the next RSAT/GPO edit) makes
> > the errors come back. Several threads point to root causes like
> > inconsistent ID mapping between DCs (idmap.ldb / xidNumber) and/or
> changes
> > to SYSVOL/NETLOGON permissions from Windows, and the wiki seems to frame
> > sysvolreset mainly as an initial/repair step (e.g., after joining a new
> DC)
> > rather than something that must run after every replication.
> >
> > With each SYSVOL replication (GPOs, files, etc.), is it actually
> > necessary/mandatory to run samba-tool ntacl sysvolreset to “correct”
> > permissions?
> > --
> > Elias Pereira
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Elias Pereira
More information about the samba
mailing list