Author Topic: Two domain controllers, sysvol replication and idmap.ldb  (Read 1416 times)

victorsts

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Two domain controllers, sysvol replication and idmap.ldb
« on: September 21, 2021, 10:30:18 am »
Hello,

I have two domain controllers using Zentyal 7, dc01 and dc02. dc01 has all the FSMO roles and was the first installed with a new domain. Then added dc02 and everything seems to be working fine. I have unidirectional sysvol replication using lrsync from dc01 to dc02 and all admin consoles are set up to connect to dc01 to edit GPO, users/groups, etc.

Now I was thinking about implementing bidirectional replication, but checking the official Samba docs (https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround#Setup_on_all_other_Domain_Controller.28s.29), I read "Make sure, that you have identical IDs of built-in groups on all DCs". That means creating a copy of /usr/local/samba/private/idmap.ldb and place it in the additional DCs.

My problem is that /usr/local/samba/private/idmap.ldb is NOT identical in both DC's. The one in dc01 has 69 entries and that in dc02 has 82. I can't figure out why dc02 has more entries than dc01, given that the latter is the FSMO roles owner and has always been.

Should I copy /usr/local/samba/private/idmap.ldb from dc01 to dc02?
What is that file used for in Zentyal?
Does Zentyal create that copy of /usr/local/samba/private/idmap.ldb when adding itself as an additional controller?

Thanks in advance.

turalyon

  • Zen Warrior
  • ***
  • Posts: 197
  • Karma: +15/-0
    • View Profile
Re: Two domain controllers, sysvol replication and idmap.ldb
« Reply #1 on: September 27, 2021, 10:29:39 am »
Hi,

There is an script located at '/usr/share/zentyal/smart-admin-report' that checks the status of a Zentyal, that script contains a function called 'dc_check' that do several checks in the Domain Controller module, perhaps you should run the script in both Zentyal and check the results.

Also, there is a command 'samba-tool showrepl' that you should run in both servers in order to check the replication status.

Finally, did you analyze the log files in both servers? Perhaps, the replication has some kind of issue.

---
“This world is ours, and by the Holy Light we will keep it safe, now and forever".