.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Synchronizing SYSVOLs between multiple domain controllers
  :keywords: SYSVOL, Debian, RedHat8 and derived distributions, Samba-AD, documentation, synchronization

.. _samba_tis_sysvolsync:

#########################################################
Synchronizing SYSVOLs between multiple domain controllers
#########################################################

.. note::

  The :file:`SYSVOL` directory is a special folder on an Active Directory domain controller that is used to store netlogon scripts and GPO definitions.

Today, there is no official support for a DFS-R mechanism in Samba based on Microsoft specifications.

Developments to achieve functionality are identified and priced.
If you are interested in financing the functionality, :ref:`contact us <contact_tranquil_it>`.

Tranquil IT has developed a method that achieves the same result as DFS-R to synchronize :file:`SYSVOL` between Samba-AD servers in the same domain.

:program:`SysvolSync` is a solution to synchronize the :file:`SYSVOL` directory between two Samba Active Directory domain controllers.
It is not compatible with DFS-R.

The method that is presented below has been tested on Debian / RedHat8 and derived distributions.

**********************************
Introducing the SysvolSync Utility
**********************************

.. note::

  :program:`SysvolSync` is based on `Syncthing <https://syncthing.net/>`_, a very efficient synchronization tool.
  :program:`Syncthing` can send notifications to an http url.
  :program:`SysvolSync` receives and processes these notifications by triggering a :command:`samba-tool ntacl sysvolreset`.

  This method is not intended to be efficient because it resets the :abbr:`ACLs (Access Control Lists)` on the whole :file:`SYSVOL` tree.
  Performance improvements are under study.

  Licensing Copyright: `Tranquil IT Systems <https://www.tranquil.it/>`_, GPL v3.0.

The code can be downloaded from `Tranquil IT’s Github space <https://github.com/tranquilit/tis-sysvolsync>`_.

********************************
Packaging the SysvolSync Utility
********************************

Creating the SysvolSync package
===============================

.. code-block:: bash

  # for 64-bit Debian

  sudo apt-get install git python3-requests python3-lxml python3-ldap
  git clone  https://github.com/tranquilit/tis-sysvolsync
  cd tis-sysvolsync/deb
  sh createdeb.sh
  ls tis-sysvolsync-*.deb

  # for 64-bit RedHat8 and derived distributions

  yum install rpm-build git python3-requests python3-lxml python3-ldap
  git clone  https://github.com/tranquilit/tis-sysvolsync
  cd tis-sysvolsync/rpm
  sh build.sh
  ls *.rpm

Installing SysvolSync
=====================

.. hint::

  Remember to install the *tis-sysvolsync* package on all your domain controllers before continuing the configuration because :program:`Syncthing` connects to other DCs to exchange encryption keys.

.. code-block:: bash

  # for 64-bit Debian

  apt-get install python3-requests python3-lxml python3-ldap procps ldb-tools
  dpkg -i tis-sysvolsync-*.deb
  systemctl restart tis-sysvolsync
  systemctl restart tis-sysvolacl

  # for 64-bit RedHat8 and derived distributions

  yum install tis-sysvolsync-*.rpm
  systemctl enable tis-sysvolsync
  systemctl enable tis-sysvolacl
  systemctl restart tis-sysvolsync
  systemctl restart tis-sysvolacl

Configuring the SysvolSync utility
----------------------------------

Once :program:`SysvolSync` is deployed on all the controllers in the domain, you can proceed with the configuration.

The configuration will require SSH authentication to exchange encryption keys:

.. code-block:: bash

  /opt/tis-sysvolsync/sysvolsync.py configure

.. note::

  The replication topology for :program:`SysvolSync` is based on the one defined by the *ntdsconnection* objects of the :abbr:`KCC (Knowledge Consistency Checker)`.

  So if you have a star replication topology, then :program:`SysvolSync` will have a star replication topology.
