Saita Kwafiyar SysVol Tsallake Samba4 AD DC Biyu tare da Rsync - Kashi na 6
Wannan batu zai rufe kwafin SysVol a cikin Samba4 Active Directory Domain Domain Controllers guda biyu da aka yi tare da taimakon ƴan kayan aikin Linux masu ƙarfi, kamar ka'idar SSH.
- Haɗa Ubuntu 16.04 azaman Ƙarin Mai Kula da Domain zuwa Samba4 AD DC - Kashi na 5
Mataki 1: Madaidaicin Aiki tare a Faɗin DCs
1. Kafin fara yin kwafin abubuwan da ke cikin sysvol directory a cikin duka masu kula da yanki kuna buƙatar samar da ingantaccen lokaci don waɗannan injunan.
Idan jinkirin ya fi mintuna 5 akan duka kwatance kuma ba a daidaita agogon su yadda ya kamata, yakamata ku fara fuskantar matsaloli daban-daban tare da asusun AD da kwafin yanki.
Don shawo kan matsalar ɓata lokaci tsakanin masu kula da yanki biyu ko fiye, kuna buƙatar shigar da saita sabar NTP akan injin ku ta aiwatar da umarnin da ke ƙasa.
# apt-get install ntp
2. Bayan an shigar da NTP daemon, buɗe babban fayil ɗin sanyi, yi sharhi tsoffin wuraren waha (ƙara # a gaban kowane layin pool) sannan ƙara sabon tafkin wanda zai koma babban Samba4 AD DC FQDN tare da sabar NTP , kamar yadda aka ba da shawara akan misalin da ke ƙasa.
# nano /etc/ntp.conf
Ƙara layin masu biyowa zuwa fayil ntp.conf.
pool 0.ubuntu.pool.ntp.org iburst #pool 1.ubuntu.pool.ntp.org iburst #pool 2.ubuntu.pool.ntp.org iburst #pool 3.ubuntu.pool.ntp.org iburst pool adc1.tecmint.lan # Use Ubuntu's ntp server as a fallback. pool ntp.ubuntu.com
3. Kar a rufe fayil ɗin tukuna, matsa zuwa ƙasan fayil ɗin sannan ƙara layin masu zuwa don sauran abokan ciniki su sami damar yin tambaya da daidaita lokaci tare da wannan uwar garken NTP, suna ba da buƙatun NTP da aka sanya hannu, idan na farko ya kasance. DC yana yin layi:
restrict source notrap nomodify noquery mssntp ntpsigndsocket /var/lib/samba/ntp_signd/
4. A ƙarshe, ajiye da rufe fayil ɗin sanyi kuma sake kunna NTP daemon don amfani da canje-canje. Jira ƴan daƙiƙa ko mintuna don lokacin aiki tare da bayar da umarnin ntpq don buga halin taƙaice na yanzu na peer adc1 a daidaitawa.
# systemctl restart ntp # ntpq -p
Mataki 2: SysVol Kwafi tare da Farko DC ta Rsync
Ta hanyar tsoho, Samba4 AD DC ba ya yin kwafin SysVol ta hanyar DFS-R (Replication Replication System File) ko FRS (Sabis na Kwafi na Fayil).
Wannan yana nufin cewa abubuwan Manufofin Ƙungiya suna samuwa ne kawai idan mai sarrafa yanki na farko yana kan layi. Idan DC ta farko ta zama babu, saitunan Manufofin Rukuni da rubutun tambarin ba za su ƙara yin amfani da injunan Windows da ke cikin yankin ba.
Don shawo kan wannan cikas da cimma tsari na asali na maimaita SysVol za mu tsara ingantaccen tushen SSH don canja wurin abubuwan GPO amintattu daga mai sarrafa yanki na farko zuwa mai sarrafa yanki na biyu.
Wannan hanyar tana tabbatar da daidaiton abubuwan GPO a cikin masu sarrafa yanki, amma yana da babban koma baya. Yana aiki kawai a hanya ɗaya saboda rsync zai canza duk canje-canje daga tushen DC zuwa wurin da ake nufi da DC lokacin aiki tare da kundayen adireshi na GPO.
Abubuwan da ba su wanzu akan tushen kuma za a share su daga wurin da aka nufa su ma. Domin iyakancewa da guje wa kowane rikici, duk gyare-gyaren GPO yakamata a yi kawai akan DC na farko.
5. Don fara aiwatar da maimaita SysVol, da farko samar da maɓallin SSH akan Samba AD DC na farko kuma canza maɓallin zuwa DC na biyu ta hanyar ba da umarnin da ke ƙasa.
Kada kayi amfani da kalmar wucewa don wannan maɓalli domin canja wurin da aka tsara ya gudana ba tare da tsangwama na mai amfani ba.
# ssh-keygen -t RSA # ssh-copy-id [email # ssh adc2 # exit
6. Bayan kun tabbatar da cewa tushen mai amfani daga DC na farko zai iya shiga ta atomatik a kan DC na biyu, gudanar da umarnin Rsync mai zuwa tare da - bushe-run parameter don yin kwafin SysVol. Sauya adc2 daidai.
# rsync --dry-run -XAavz --chmod=775 --delete-after --progress --stats /var/lib/samba/sysvol/ [email :/var/lib/samba/sysvol/
7. Idan tsarin simulation yana aiki kamar yadda aka sa ran, sake gudanar da umarnin rsync ba tare da zaɓin -- bushe-run don a zahiri kwafi abubuwan GPO a cikin masu sarrafa yankin ku.
# rsync -XAavz --chmod=775 --delete-after --progress --stats /var/lib/samba/sysvol/ [email :/var/lib/samba/sysvol/
8. Bayan SysVol aiwatar da maimaitawa ya ƙare, shiga cikin mai sarrafa yanki na manufa kuma jera abubuwan da ke cikin ɗaya daga cikin kundin adireshi GPO ta hanyar aiwatar da umarnin da ke ƙasa.
Abubuwan GPO iri ɗaya daga DC na farko yakamata a kwaikwayi su anan ma.
# ls -alh /var/lib/samba/sysvol/your_domain/Policiers/
9. Don sarrafa kan aiwatar da kwafin Manufofin Rukuni (sysvol directory transport over network), tsara tushen aiki don gudanar da umarnin rsync da aka yi amfani da shi a baya kowane minti 5 ta hanyar ba da umarnin da ke ƙasa.
# crontab -e
Ƙara umarnin rsync don gudanar da kowane minti 5 kuma ya jagoranci fitarwa na umarnin, ciki har da kurakurai, zuwa fayil ɗin log /var/log/sysvol-replication.log .Idan wani abu bai yi aiki ba kamar yadda ake sa ran ya kamata ka tuntubi wannan fayil domin magance matsalar.
*/5 * * * * rsync -XAavz --chmod=775 --delete-after --progress --stats /var/lib/samba/sysvol/ [email :/var/lib/samba/sysvol/ > /var/log/sysvol-replication.log 2>&1
10. Ganin cewa a nan gaba za a sami wasu batutuwa masu dangantaka da izinin SysVol ACL, za ku iya gudanar da waɗannan umarni don ganowa da gyara waɗannan kurakurai.
# samba-tool ntacl sysvolcheck # samba-tool ntacl sysvolreset
11. Idan na farko Samba4 AD DC tare da matsayin FSMO a matsayin PDC Emulator ya zama babu samuwa, za ka iya tilasta Console Gudanar da Manufofin Rukuni da aka sanya akan tsarin Microsoft Windows don haɗawa kawai zuwa mai kula da yanki na biyu ta zaɓar Canja Mai Gudanarwar Domain kuma da hannu. zaɓi na'ura mai niyya kamar yadda aka kwatanta a ƙasa.
Yayin da aka haɗa shi da DC na biyu daga Console Gudanar da Manufofin Ƙungiya, ya kamata ku guji yin kowane canji zuwa Manufofin Ƙungiya na yankinku. Lokacin da DC na farko zai sake kasancewa, umarnin rsync zai lalata duk canje-canjen da aka yi akan wannan mai sarrafa yanki na biyu.