Shulou(Shulou.com)06/01 Report--

Editor to share with you how to use the Rsync command to synchronize the SysVol directory between the two Samba4 AD DC, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Demand:

1. Use Samba4 on a Ubuntu system to create an active directory schema

2. Manage the Samba4 AD architecture under the Linux command line

3. Use Windows 10's RSAT tools to manage the Samba4 active Directory architecture

4. Manage Samba4 AD domain administrator DNS and group policy under Windows

5. Join another Ubuntu DC server to Samba4 AD DC to realize the dual domain control host mode.

* * step: configure DC server time synchronization

1. Before copying the contents of the sysvol directory between two domain controllers, you need to make sure that the time settings of the two servers are accurate and consistent.

If the time delay between the two servers is more than 5 minutes and the clock is out of sync, you will encounter various problems with AD account and domain replication.

To solve the problem of time drift between multiple domain controllers, you need to execute the following command on the server to install and configure the NTP service.

# apt-get install ntp

2. After the NTP service is installed, open the main configuration file, comment the default pool value (add # before each line of pool parameter), and add a new pool value to point to the main Samba4 AD DC FQDN that has the NTP server installed, as shown below.

# nano / etc/ntp.conf

Add the following lines to the ntp.conf configuration file.

Pool 0.ubuntu.pool.ntp.org iburst # pool 1.ubuntu.pool.ntp.org iburst # pool 2.ubuntu.pool.ntp.org iburst # pool 3.ubuntu.pool.ntp.org iburst pool adc1.tecmint.lan # Use Ubuntu's ntp server as a fallback. Pool ntp.ubuntu.com

Samba4 configure NTP service

3. Do not close the file yet, add the following at the end of the file, so that other clients can query and synchronize the time with the NTP server, and issue a NTP signature request to prevent the master DC from going offline:

Restrict source notrap nomodify noquery mssntp ntpsigndsocket / var/lib/samba/ntp_signd/

4. *, close and save the configuration file, and then restart the NTP service to apply the changes. Wait a few minutes for the time synchronization to complete, and execute the ntpq command to print out the adc1 time synchronization.

# systemctl restart ntp # ntpq-p

Synchronize NTP time with Samba4 AD

Step 2: use the Rsync command to copy the SysVol directories on * DC servers

By default, Samba4 AD DC does not replicate the SysVol directory through DFS-R (distributed File system replication Distributed File System Replication) or FRS (File replication Service File Replication Service).

This means that the Group Policy object Group Policy objects is available only when * domain controllers are online. Otherwise, Group Policy settings and login scripts will not be applied to Windosws machines that are joined to the domain.

To overcome this obstacle and basically achieve the purpose of SysVol directory replication, we securely transfer GPO objects from * domain controllers to a second domain controller by performing a SSH-based authentication and using the Linux synchronization command of the SSH encrypted channel.

This approach ensures the consistency of GPO objects across domain controllers, but it also has a big drawback. It can only be synchronized one-way, because when synchronizing the GPO directory, the rsync command transfers all changes from the source DC server to the destination DC server

Group Policy objects that do not exist on the source DC server are also deleted from the target DC server. In order to limit and avoid any conflicts, all GPO editing operations can only be performed on * DC servers.

5. To copy SysVol, first generate the SSH key on * AD DC servers, and then use the following command to transfer the key to the second DC server.

Do not set the password during the generation of the key so that it can be transmitted without user intervention.

# ssh-keygen-t RSA # ssh-copy-id root@adc2 # ssh adc2 # exit

Generate SSH keys on the Samba4 DC server

6. When you confirm that root users can log in to the second DC server from * DC servers without password, execute the following rsync command, plus the-- dry-run parameter to simulate the SysVol replication process. Be careful to replace the corresponding parameter values with your own data.

# rsync-dry-run-XAavz-chmod=775-delete-after-progress-stats / var/lib/samba/sysvol/ root@adc2:/var/lib/samba/sysvol/

7. If the simulation replication process is normal, execute the rsync command that removes the-- dry-run parameter again to actually copy the GPO objects between domain controllers.

# rsync-XAavz-- chmod=775-- delete-after-- progress-- stats / var/lib/samba/sysvol/ root@adc2:/var/lib/samba/sysvol/

Samba4 AD DC SysVol replication

After the SysVol replication is complete, log in to the target domain controller and execute the following command to list the contents of one of the GPO object directories.

When you execute this command from * DC servers, the same GPO objects are listed.

# ls-alh / var/lib/samba/sysvol/your_domain/Policiers/

Verify that the Samba4 DC SysVol replication result is normal

9. In order to automate the process of group policy replication (transferring the sysvol directory over the network), you can use your root account to set a task to execute the synchronization command, as shown below, to execute the command every 5 minutes.

# crontab-e

Add a synchronization command that runs every 5 minutes, and output the execution results and error messages to the log file / var/log/sysvol-replication.log. If there is an exception in the execution of the command, you can view the file to locate the problem.

* / 5 * rsync-XAavz-chmod=775-delete-after-progress-stats / var/lib/samba/sysvol/ root@adc2:/var/lib/samba/sysvol/ > / var/log/sysvol-replication.log 2 > & 1

10. If there is a problem with SysVol ACL permissions in the future, you can use the following command to detect and fix these exceptions.

# samba-tool ntacl sysvolcheck # samba-tool ntacl sysvolreset

Fix SysVol ACL permission problem

11. If * the FSMO role of Samba4 AD DC, that is, "PDC Simulator" is not available, you can force the Group Policy Management console on the Microsoft Windows system to connect only to the second domain controller, by selecting the change domain controller option and manually selecting the target machine, as shown in the following figure.

Change the Samba4 domain controller

Select Samba4 domain controller

When you connect to the second DC server from the Group Policy Management console, you should avoid making any changes to Group Policy. Otherwise, when the * DC servers return to normal, the rsync command will delete the changes made on the second DC server.

The above is all the contents of the article "how to use the Rsync command to synchronize the SysVol directory between two Samba4 AD DC". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.