document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-02-28 01:01:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5085 from rusking/master

Browse Source 
translated:20170116 Setup SysVol Replication Across Two Samba4 AD DC with Rsync - Part 6
This commit is contained in:
Xingyu.Wang 2017-02-04 20:59:05 +08:00 committed by GitHub
commit aff575f54d
2 changed files with 198 additions and 198 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

198
sources/tech/20170116 Setup SysVol Replication Across Two Samba4 AD DC with Rsync - Part 6.md
View File

@ -1,198 +0,0 @@
# rusking translating
Setup SysVol Replication Across Two Samba4 AD DC with Rsync Part 6
============================================================
This topic will cover SysVol replication across two Samba4 Active Directory Domain Controllers performed with the help of a few powerful Linux tools, such as [Rsync file synchronization utility][2], [Cron scheduling daemon][3] and [SSH protocol][4].
#### Requirements:
1. [Join Ubuntu 16.04 as Additional Domain Controller to Samba4 AD DC Part 5][1]
### Step 1: Accurate Time Synchronization Across DCs
1. Before starting to replicate the contents of the sysvol directory across both domain controllers you need to provide an accurate time for these machines.
If the delay is greater than 5 minutes on both directions and their clocks are not properly in sync, you should start experiencing various problems with AD accounts and domain replication.
To overcome the problem of time drifting between two or more domain controllers, you need to [install and configure NTP server][5] on your machine by executing the below command.
```
# apt-get install ntp
```
2. After NTP daemon has been installed, open the main configuration file, comment the default pools (add a # in front of each pool line) and add a new pool which will point back to the main Samba4 AD DC FQDN with NTPserver installed, as suggested on the below example.
```
# nano /etc/ntp.conf
```
Add following lines to ntp.conf file.
```
pool 0.ubuntu.pool.ntp.org iburst
#pool 1.ubuntu.pool.ntp.org iburst
#pool 2.ubuntu.pool.ntp.org iburst
#pool 3.ubuntu.pool.ntp.org iburst
pool adc1.tecmint.lan
# Use Ubuntu's ntp server as a fallback.
pool ntp.ubuntu.com
```
[
![Configure NTP for Samba4](http://www.tecmint.com/wp-content/uploads/2017/01/Configure-NTP-for-Samba4.png)
][6]
Configure NTP for Samba4
3. Dont close the file yet, move to the bottom of the file and add the following lines in order for other clients to be able to query and [sync the time with this NTP server][7], issuing signed NTP requests, in case the primary DC goes offline:
```
restrict source notrap nomodify noquery mssntp
ntpsigndsocket /var/lib/samba/ntp_signd/
```
4. Finally, save and close the configuration file and restart NTP daemon in order to apply the changes. Wait for a few seconds or minutes for the time to synchronize and issue ntpq command in order to print the current summary state of the adc1 peer in sync.
```
# systemctl restart ntp
# ntpq -p
```
[
![Synchronize NTP Time with Samba4 AD](http://www.tecmint.com/wp-content/uploads/2017/01/Synchronize-Time.png)
][8]
Synchronize NTP Time with Samba4 AD
### Step 2: SysVol Replication with First DC via Rsync
By default, Samba4 AD DC doesnt perform SysVol replication via DFS-R (Distributed File System Replication) or the FRS (File Replication Service).
This means that Group Policy objects are available only if the first domain controller is online. If the first DC becomes unavailable, the Group Policy settings and logon scripts will not apply further on Windows machines enrolled into the domain.
To overcome this obstacle and achieve a rudimentary form of SysVol replication we will schedule a [Linux rsync command][9] combined with a SSH encrypted tunnel with [key-based SSH authentication][10] in order to securely transfer GPO objects from the first domain controller to the second domain controller.
This method ensures GPO objects consistency across domain controllers, but has one huge drawback. It works only in one direction because rsync will transfer all changes from the source DC to the destination DC when synchronizing GPO directories.
Objects which no longer exist on the source will be deleted from the destination as well. In order to limit and avoid any conflicts, all GPO edits should be made only on the first DC.
5. To start the process of SysVol replication, first [generate a SSH key on the first Samba AD DC][11] and transfer the key to the second DC by issuing the below commands.
Do not use a passphrase for this key in order for the scheduled transfer to run without user interference.
```
# ssh-keygen -t RSA
# ssh-copy-id root@adc2
# ssh adc2
# exit
```
[
![Generate SSH Key on Samba4 DC](http://www.tecmint.com/wp-content/uploads/2017/01/Generate-SSH-Key.png)
][12]
Generate SSH Key on Samba4 DC
6. After youve assured that the root user from the first DC can automatically login on the second DC, run the following Rsync command with `--dry-run` parameter in order simulate SysVol replication. Replace adc2accordingly.
```
# rsync --dry-run -XAavz --chmod=775 --delete-after --progress --stats /var/lib/samba/sysvol/ root@adc2:/var/lib/samba/sysvol/
```
7. If the simulation process works as expected, run the rsync command again without the `--dry-run` option in order to actually replicate GPO objects across your domain controllers.
```
# rsync -XAavz --chmod=775 --delete-after --progress --stats /var/lib/samba/sysvol/ root@adc2:/var/lib/samba/sysvol/
```
[
![Samba4 AD DC SysVol Replication](http://www.tecmint.com/wp-content/uploads/2017/01/SysVol-Replication-for-Samba4-DC.png)
][13]
Samba4 AD DC SysVol Replication
8. After SysVol replication process has finished, login to the destination domain controller and list the contents of one of the GPO objects directory by running the below command.
The same GPO objects from the first DC should be replicated here too.
```
# ls -alh /var/lib/samba/sysvol/your_domain/Policiers/
```
[
![Verify Samba4 DC SysVol Replication](http://www.tecmint.com/wp-content/uploads/2017/01/Verify-Samba4-DC-SysVol-Replication.png)
][14]
Verify Samba4 DC SysVol Replication
9. To automate the process of Group Policy replication (sysvol directory transport over network), schedule a root job to run the rsync command used earlier every 5 minutes by issuing the below command.
```
# crontab -e
```
Add rsync command to run every 5 minutes and direct the output of the command, including the errors, to the log file /var/log/sysvol-replication.log .In case something doesnt work as expected you should consult this file in order to troubleshoot the problem.
```
*/5 * * * * rsync -XAavz --chmod=775 --delete-after --progress --stats /var/lib/samba/sysvol/ root@adc2:/var/lib/samba/sysvol/ > /var/log/sysvol-replication.log 2>&1
```
10. Assuming that in future there will be some related issues with SysVol ACL permissions, you can run the following commands in order to detect and repair these errors.
```
# samba-tool ntacl sysvolcheck
# samba-tool ntacl sysvolreset
```
[
![Fix SysVol ACL Permissions](http://www.tecmint.com/wp-content/uploads/2017/01/Fix-SysVol-ACL-Permissions.png)
][15]
Fix SysVol ACL Permissions
11. In case the first Samba4 AD DC with FSMO role as “PDC Emulator” becomes unavailable, you can force the Group Policy Management Console installed on a Microsoft Windows system to connect only to the second domain controller by choosing Change Domain Controller option and manually selecting the target machine as illustrated below.
[
![Change Samba4 Domain Controller](http://www.tecmint.com/wp-content/uploads/2017/01/Change-Samba4-Domain-Controller.png)
][16]
Change Samba4 Domain Controller
[
![Select Samba4 Domain Controller](http://www.tecmint.com/wp-content/uploads/2017/01/Select-Samba4-Domain-Controller.png)
][17]
Select Samba4 Domain Controller
While connected to the second DC from Group Policy Management Console, you should avoid making any modification to your domain Group Policy. When the first DC will become available again, rsync command will destroy all changes made on this second domain controller.
--------------------------------------------------------------------------------
作者简介:
![](http://2.gravatar.com/avatar/be16e54026c7429d28490cce41b1e157?s=128&d=blank&r=g)
I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.
--------------------------------------------------------------------------------
via: http://www.tecmint.com/samba4-ad-dc-sysvol-replication/
作者:[Matei Cezar][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.tecmint.com/author/cezarmatei/
[1]:http://www.tecmint.com/join-additional-ubuntu-dc-to-samba4-ad-dc-failover-replication/
[2]:http://www.tecmint.com/rsync-local-remote-file-synchronization-commands/
[3]:http://www.tecmint.com/11-cron-scheduling-task-examples-in-linux/
[4]:http://www.tecmint.com/5-best-practices-to-secure-and-protect-ssh-server/
[5]:http://www.tecmint.com/install-and-configure-ntp-server-client-in-debian/
[6]:http://www.tecmint.com/wp-content/uploads/2017/01/Configure-NTP-for-Samba4.png
[7]:http://www.tecmint.com/how-to-synchronize-time-with-ntp-server-in-ubuntu-linux-mint-xubuntu-debian/
[8]:http://www.tecmint.com/wp-content/uploads/2017/01/Synchronize-Time.png
[9]:http://www.tecmint.com/rsync-local-remote-file-synchronization-commands/
[10]:http://www.tecmint.com/ssh-passwordless-login-using-ssh-keygen-in-5-easy-steps/
[11]:http://www.tecmint.com/ssh-passwordless-login-using-ssh-keygen-in-5-easy-steps/
[12]:http://www.tecmint.com/wp-content/uploads/2017/01/Generate-SSH-Key.png
[13]:http://www.tecmint.com/wp-content/uploads/2017/01/SysVol-Replication-for-Samba4-DC.png
[14]:http://www.tecmint.com/wp-content/uploads/2017/01/Verify-Samba4-DC-SysVol-Replication.png
[15]:http://www.tecmint.com/wp-content/uploads/2017/01/Fix-SysVol-ACL-Permissions.png
[16]:http://www.tecmint.com/wp-content/uploads/2017/01/Change-Samba4-Domain-Controller.png
[17]:http://www.tecmint.com/wp-content/uploads/2017/01/Select-Samba4-Domain-Controller.png

198
translated/tech/20170116 Setup SysVol Replication Across Two Samba4 AD DC with Rsync - Part 6.md Normal file
View File

@ -0,0 +1,198 @@
Setup SysVol Replication Across Two Samba4 AD DC with Rsync Part 6
============================================================
使用 Rsync 命令来同步两个 Samba4 AD DC 之间的 SysVol 目录——(六)
这篇文章讲的是在两个 Samba4 活动目录域控制器之间,通过一些强大的 Linux 工具来完成 SysVol 的复制操作,比如[Rsync 数据同步工具][2][Cron 任务调度进程][3]和[SSH 协议][4]。
#### 要求::
1、 [将 Ubuntu 16.04 服务器作为域控制器加入到 Samba4 AD DC 环境中——(五)][1]
### 第一步:配置 DC 服务器时间同步
1、在两个域控制器之间复制 sysvol 目录的内容之前,你得保证这两个服务器时间设置准确且一致。
如果这两个服务器的时间延迟大于 5 分钟,并且时钟也不同步,你将会遇到 AD 账号和域复制的各种问题。
为了解决多个域控制器之间时间漂移的问题,你需要在服务器上执行如下命令来[安装和配置 NTP 服务][5]。
```
# apt-get install ntp
```
2、在 NTP 服务安装完成之后,打开主配置文件,把默认的 pool 值注释(在第一行 pool 参数前添加 # ),并且添加新的 pool 值指向已安装了 NTP 服务端的主 Samba4 AD DC FQDN ,如下所示。
```
# nano /etc/ntp.conf
```
把下面几行添加到 ntp.conf 配置文件。
```
pool 0.ubuntu.pool.ntp.org iburst
#pool 1.ubuntu.pool.ntp.org iburst
#pool 2.ubuntu.pool.ntp.org iburst
#pool 3.ubuntu.pool.ntp.org iburst
pool adc1.tecmint.lan
# Use Ubuntu's ntp server as a fallback.
pool ntp.ubuntu.com
```
[
![Configure NTP for Samba4](http://www.tecmint.com/wp-content/uploads/2017/01/Configure-NTP-for-Samba4.png)
][6]
Samba4 配置 NTP 服务
3、先不要关闭该文件在文件末尾添加如下内容这是为了让其它客户端能够查询并[与这个 NTP 服务器同步时间][7],并发出 NTP 签署请求,以防主 DC 离线:
```
restrict source notrap nomodify noquery mssntp
ntpsigndsocket /var/lib/samba/ntp_signd/
```
4、最后关闭并保存该配置文件然后重启 NTP 服务以应用更改。等待几分钟后时间同步完成,执行 ntpq 命令来查看时间同步情况。
```
# systemctl restart ntp
# ntpq -p
```
[
![Synchronize NTP Time with Samba4 AD](http://www.tecmint.com/wp-content/uploads/2017/01/Synchronize-Time.png)
][8]
与 Samba4 AD 同步 NTP 时间
### 第二步:通过 Rsync 命令来复制第一个 DC 服务器上的 SysVol 目录
默认情况下Samba4 AD DC 不会通过 DFS-R分布式文件系统复制或者 FRS文件复制服务来复制 SysVol 目录。
这意味着只有在第一个域控制器联机时,组策略对象才可用。否则组策略设置和登录脚本不会应用到已加入域的 Windosws 机器上。
为了解决这个问题及实现 SysVol 目录的犁,我们通过执行一个[基于 SSH 的身份认证][10]并使用 SSH 加密通道的[Linux 同步命令][9]来从第一个域控制器安全地传输 GPO 对象到第二个域控制器。
这种方式能够确保 GPO 对象在域控制器之间的一致性,但是也有一个很大的缺点。它只能进行单向同步,因为在同步 GPO 目录的时候, rsync 命令会从源 DC 服务器传输所有的更改到目标 DC 服务器,
源 DC 服务器上不存在的组策略对象也会从目标 DC 服务器上删除,为了限制并避免任何冲突,所有的 GPO 编辑操作只能在第一个 DC 服务器上执行。
5、要进行 SysVol 复制,先到[第一个 AD DC 服务器上生成 SSH 密钥][11],然后使用下面的命令把该密钥传输到第二个 DC 服务器。
在生成密钥的过程中不要设置密码,以便在无用户干预的情况下进行传输。
```
# ssh-keygen -t RSA
# ssh-copy-id root@adc2
# ssh adc2
# exit
```
[
![Generate SSH Key on Samba4 DC](http://www.tecmint.com/wp-content/uploads/2017/01/Generate-SSH-Key.png)
][12]
在 Samba4 DC 服务器上生成 SSH 密钥
6、 当你确认 root 用户可以从第一个 DC 服务器以免密码方式登录到第二个 DC 服务器时,执行下面的 Rsync 命令,加上 `--dry-run` 参数来模拟 SysVol 复制过程。注意把对应的参数值替换成你自己的数据。
```
# rsync --dry-run -XAavz --chmod=775 --delete-after --progress --stats /var/lib/samba/sysvol/ root@adc2:/var/lib/samba/sysvol/
```
7、如果模拟复制过程正常那么再次执行 rsync 命令,去掉 `--dry-run` 参数来真实的在域控制器之间复制 GPO 对象。
```
# rsync -XAavz --chmod=775 --delete-after --progress --stats /var/lib/samba/sysvol/ root@adc2:/var/lib/samba/sysvol/
```
[
![Samba4 AD DC SysVol Replication](http://www.tecmint.com/wp-content/uploads/2017/01/SysVol-Replication-for-Samba4-DC.png)
][13]
Samba4 AD DC SysVol 复制
8、在 SysVol 复制完成之后,登录到目标域控制器,然后执行下面的命令来列出其中一个 GPO 对象目录的内容。
从第一个 DC 服务器上执行这个命令时,列出的 GPO 对象也要相同。
```
# ls -alh /var/lib/samba/sysvol/your_domain/Policiers/
```
[
![Verify Samba4 DC SysVol Replication](http://www.tecmint.com/wp-content/uploads/2017/01/Verify-Samba4-DC-SysVol-Replication.png)
][14]
验证 Samba4 DC SysVol 复制结果是否正常
9、为了自动完成组策略复制的过程从网络来传输 sysvol 目录),你可以使用 root 账号设置一个任务来执行同步命令,如下所示,设置为每隔 5 分钟执行一次该命令。
```
# crontab -e
```
添加一条每隔 5 分钟运行的同步命令,并把执行结果以及错误信息输出到日志文件 /var/log/sysvol-replication.log 。如果执行命令异常,你可以查看该文件来定位问题。
```
*/5 * * * * rsync -XAavz --chmod=775 --delete-after --progress --stats /var/lib/samba/sysvol/ root@adc2:/var/lib/samba/sysvol/ > /var/log/sysvol-replication.log 2>&1
```
10、如果以后 SysVol ACL 权限有问题,你可以通过下面的命令来检测和修复这些异常。
```
# samba-tool ntacl sysvolcheck
# samba-tool ntacl sysvolreset
```
[
![Fix SysVol ACL Permissions](http://www.tecmint.com/wp-content/uploads/2017/01/Fix-SysVol-ACL-Permissions.png)
][15]
修复 SysVol ACL 权限问题
11、如果第一个 Samba4 AD DC 的 FSMO 角色,即“ PDC 模拟器”不可用,你可以强制 Microsoft Windows 系统上的组策略管理控制台只连接到第二个域控制器,通过选择更改域控制器选项和手动选择目标机器,如下图所示。
[
![Change Samba4 Domain Controller](http://www.tecmint.com/wp-content/uploads/2017/01/Change-Samba4-Domain-Controller.png)
][16]
更改 Samba4 域控制器
[
![Select Samba4 Domain Controller](http://www.tecmint.com/wp-content/uploads/2017/01/Select-Samba4-Domain-Controller.png)
][17]
选择 Samba4 域控制器
当你从组策略管理控制台连接到第二个 DC 服务器时,你应该避免对组策略做任何更改。否则,当第一个 DC 服务器恢复正常后, rsync 命令将会删除在第二个 DC 服务器上所做的更改。
--------------------------------------------------------------------------------
作者简介:
![](http://2.gravatar.com/avatar/be16e54026c7429d28490cce41b1e157?s=128&d=blank&r=g)
我是一个电脑迷,开源软件和 Linux 系统爱好者,有超过 4 年的 Linux 桌面、服务器版本系统和 bash 编程经验。
--------------------------------------------------------------------------------
via: http://www.tecmint.com/samba4-ad-dc-sysvol-replication/
作者:[Matei Cezar][a]
译者:[rusking](https://github.com/rusking)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.tecmint.com/author/cezarmatei/
[1]:http://www.tecmint.com/join-additional-ubuntu-dc-to-samba4-ad-dc-failover-replication/
[2]:http://www.tecmint.com/rsync-local-remote-file-synchronization-commands/
[3]:http://www.tecmint.com/11-cron-scheduling-task-examples-in-linux/
[4]:http://www.tecmint.com/5-best-practices-to-secure-and-protect-ssh-server/
[5]:http://www.tecmint.com/install-and-configure-ntp-server-client-in-debian/
[6]:http://www.tecmint.com/wp-content/uploads/2017/01/Configure-NTP-for-Samba4.png
[7]:http://www.tecmint.com/how-to-synchronize-time-with-ntp-server-in-ubuntu-linux-mint-xubuntu-debian/
[8]:http://www.tecmint.com/wp-content/uploads/2017/01/Synchronize-Time.png
[9]:http://www.tecmint.com/rsync-local-remote-file-synchronization-commands/
[10]:http://www.tecmint.com/ssh-passwordless-login-using-ssh-keygen-in-5-easy-steps/
[11]:http://www.tecmint.com/ssh-passwordless-login-using-ssh-keygen-in-5-easy-steps/
[12]:http://www.tecmint.com/wp-content/uploads/2017/01/Generate-SSH-Key.png
[13]:http://www.tecmint.com/wp-content/uploads/2017/01/SysVol-Replication-for-Samba4-DC.png
[14]:http://www.tecmint.com/wp-content/uploads/2017/01/Verify-Samba4-DC-SysVol-Replication.png
[15]:http://www.tecmint.com/wp-content/uploads/2017/01/Fix-SysVol-ACL-Permissions.png
[16]:http://www.tecmint.com/wp-content/uploads/2017/01/Change-Samba4-Domain-Controller.png
[17]:http://www.tecmint.com/wp-content/uploads/2017/01/Select-Samba4-Domain-Controller.png