This topic will coverSysVolreplication across twoSamba4 Active Directory Domain Controllersperformed with the help of a few powerful Linux tools, such as[Rsync file synchronization utility][2],[Cron scheduling daemon][3]and[SSH protocol][4].
#### Requirements:
1. [Join Ubuntu 16.04 as Additional Domain Controller to Samba4 AD DC – Part 5][1]
### Step 1: Accurate Time Synchronization Across DCs
1.Before starting to replicate the contents of thesysvoldirectory across both domain controllers you need to provide an accurate time for these machines.
If the delay is greater than 5 minutes on both directions and their clocks are not properly in sync, you should start experiencing various problems with AD accounts and domain replication.
To overcome the problem of time drifting between two or more domain controllers, you need to[install and configure NTP server][5]on your machine by executing the below command.
```
# apt-get install ntp
```
2.After NTP daemon has been installed, open the main configuration file, comment the default pools (add a#in front of each pool line) and add a new pool which will point back to the mainSamba4 AD DC FQDNwithNTPserver installed, as suggested on the below example.
```
# nano /etc/ntp.conf
```
Add following lines tontp.conffile.
```
pool 0.ubuntu.pool.ntp.org iburst
#pool 1.ubuntu.pool.ntp.org iburst
#pool 2.ubuntu.pool.ntp.org iburst
#pool 3.ubuntu.pool.ntp.org iburst
pool adc1.tecmint.lan
# Use Ubuntu's ntp server as a fallback.
pool ntp.ubuntu.com
```
[
][6]
Configure NTP for Samba4
3.Don’t close the file yet, move to the bottom of the file and add the following lines in order for other clients to be able to query and[sync the time with this NTP server][7], issuing signed NTP requests, in case the primary DC goes offline:
```
restrict source notrap nomodify noquery mssntp
ntpsigndsocket /var/lib/samba/ntp_signd/
```
4.Finally, save and close the configuration file and restart NTP daemon in order to apply the changes. Wait for a few seconds or minutes for the time to synchronize and issuentpqcommand in order to print the current summary state of theadc1peer in sync.
```
# systemctl restart ntp
# ntpq -p
```
[
][8]
Synchronize NTP Time with Samba4 AD
### Step 2: SysVol Replication with First DC via Rsync
By default,Samba4 AD DCdoesn’t performSysVolreplication viaDFS-R(Distributed File System Replication) or theFRS(File Replication Service).
This means thatGroup Policyobjects are available only if the first domain controller is online. If the first DC becomes unavailable, the Group Policy settings and logon scripts will not apply further on Windows machines enrolled into the domain.
To overcome this obstacle and achieve a rudimentary form of SysVol replication we will schedule a[Linux rsync command][9]combined with a SSH encrypted tunnel with[key-based SSH authentication][10]in order to securely transferGPOobjects from the first domain controller to the second domain controller.
This method ensuresGPOobjects consistency across domain controllers, but has one huge drawback. It works only in one direction becausersyncwill transfer all changes from the source DC to the destination DC when synchronizing GPO directories.
Objects which no longer exist on the source will be deleted from the destination as well. In order to limit and avoid any conflicts, all GPO edits should be made only on the first DC.
5.To start the process ofSysVolreplication, first[generate a SSH key on the first Samba AD DC][11]and transfer the key to the second DC by issuing the below commands.
Do not use apassphrasefor this key in order for the scheduled transfer to run without user interference.
```
# ssh-keygen -t RSA
# ssh-copy-id root@adc2
# ssh adc2
# exit
```
[
][12]
Generate SSH Key on Samba4 DC
6.After you’ve assured that the root user from the firstDCcan automatically login on the secondDC, run the followingRsynccommand with`--dry-run`parameter in order simulate SysVol replication. Replaceadc2accordingly.
7.If the simulation process works as expected, run the rsync command again without the`--dry-run`option in order to actually replicate GPO objects across your domain controllers.
][13]
Samba4 AD DC SysVol Replication
8.After SysVol replication process has finished, login to the destination domain controller and list the contents of one of the GPO objects directory by running the below command.
The same GPO objects from the first DC should be replicated here too.
```
# ls -alh /var/lib/samba/sysvol/your_domain/Policiers/
```
[
][14]
Verify Samba4 DC SysVol Replication
9.To automate the process ofGroup Policyreplication (sysvol directory transport over network), schedule a root job to run the rsync command used earlier every 5 minutes by issuing the below command.
```
# crontab -e
```
Add rsync command to run every 5 minutes and direct the output of the command, including the errors, to the log file/var/log/sysvol-replication.log.In case something doesn’t work as expected you should consult this file in order to troubleshoot the problem.
10.Assuming that in future there will be some related issues withSysVol ACLpermissions, you can run the following commands in order to detect and repair these errors.
11.In case the firstSamba4 AD DCwithFSMOrole as “PDC Emulator” becomes unavailable, you can force theGroup Policy Management Consoleinstalled on aMicrosoft Windowssystem to connect only to the second domain controller by choosing Change Domain Controller option and manually selecting the target machine as illustrated below.
While connected to the secondDCfromGroup Policy Management Console, you should avoid making any modification to your domainGroup Policy. When the firstDCwill become available again,rsync commandwill destroy all changes made on this second domain controller.
I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.
