samba - Jul 2021 - Sysvol Replication workaround seems not work

On Fri, 2021-07-30 at 11:01 +0200, Thomas Kempf via samba
wrote:
> 
> >  
> > You have to run sysvolreset on all DC's
> can i do this safely now having removed the gidNUmber from Domain
> Admins?
Yes
> 
> > 
> > this doesn't mean that you need to sync idmap.ldb, only if you
have
made user or group changes.
> ok, but shouldn't this be done automagically by the implemented 
> "Bidirectional Rsync/Unison based SysVol replication workaround"
?
No, because that method does not sync idmap.ldb

Rowland

Am 30.07.2021 um 11:15 schrieb Rowland Penny via samba:
> On Fri, 2021-07-30 at 11:01 +0200, Thomas Kempf via samba wrote:
>>
>>>   
>>> You have to run sysvolreset on all DC's
>> can i do this safely now having removed the gidNUmber from Domain
>> Admins?
> 
> Yes
> 
>>
>>>
>>> this doesn't mean that you need to sync idmap.ldb, only if you
have
> made user or group changes.
>> ok, but shouldn't this be done automagically by the implemented
>> "Bidirectional Rsync/Unison based SysVol replication
workaround" ?
> 
> No, because that method does not sync idmap.ldb
Sorry, i fear, i was not clear in what i meant.
As far as i understood, there will be no change in idmap.ldb, when i'm 
not making any user or group changes, so no need to resync idmap.ldb 
each time when i change ACL on a GPO.

But if i change only Delegation on one Policy - which leads AFAIK to 
changed ACL on FSMO-DCs sysvol, shouldn't these ACL-Changes be synced to 
the other DC automatically by Unison ?
This is, what does not work here.

Kind Regards
Tom