Am 30.07.2021 um 10:51 schrieb Rowland Penny via samba:> On Fri, 2021-07-30 at 10:29 +0200, Thomas Kempf via samba wrote:
>> Hi Rowland,
>>
>> ok, until now i still hesitated leaving the debian packages repo,
>> but
>> i'll definitely check this out
>
> I suppose that I should mention that Louis is a Samba team member and
> lots of people (including myself) use his repo
>
>>
>>
>>
>> This is what already i did this morning.I created a new admin group
>> using the same gidNumber as Domain Admins
>> had before and removed the gidNumber from Domain Admins. After that i
>> resynchronized idmap.ldb to the second DC. including net cache flush
>> on
>> both both DCs. I also removed idmap_ldb:use rfc2307 =yes form my DCs
>> configuration and restarted them.
>
> You didn't need to do both, not having 'idmap_ldb:use rfc2307 =
yes' on
> a DC means 'do not use any rfc2307 attributes on this DC', so the
> Domain Admins gidNumber would be ignored. If you only use a DC for
> authentication, you do not need the line.
ok, i understand.>>
>> >>
>> >> The Sysvol seems ok on the machine to which i connected, but
the
>> >> ACL-changes during the sysvolreset don't get
synchronized to the
>> >> other DC.
>
> You have to run sysvolreset on all DC's
can i do this safely now having removed the gidNUmber from Domain Admins?
>
>> >
>> > That is correct, you also need to sync idmap.ldb from the DC
with
>> the
>> > PDC_Emulator FSMO role to all other DC's.
>> Does this mean, i alwys have to do a manual full resync to my second
>> DC
>> when i only change ACL on the Policys ?
>
> Any time you alter Sysvol, you need to sync it to the other DC's, but
> this doesn't mean that you need to sync idmap.ldb, only if you have
> made user or group changes.
ok, but shouldn't this be done automagically by the implemented
"Bidirectional Rsync/Unison based SysVol replication workaround" ?