Q&A: How GPOs and SYSVOL are working together in UCS@school

Knowledge Base Community
, , , , ,
#1

Question

How do GPOs and SYSVOL work together in an ucs@school environment?

Answer

This article explains the mechanisms used in ucs@school for GPO synchronization and explains briefly the concepts of it.

Preface

RSAT

The Remote Server Administration Tools from Microsoft are used to create, edit and remove Group Policy Objects** (GPOs). You will have to install this tool on a Windows computer according to the linked article above.
Once installed you can create a GPO and attach it to an object or a ou in the (Samba-) LDAP-Tree.
Note: GPOs cannot be assigned to containers (cn). See here.

GPO

A GPO consists of two elements:

  1. SYSVOL file object
  2. LDAP-entry attached to the object (or ou) pointing to the file object in SYSVOL

Samba Domains

In ucs@school every school has its own Samba/AD domain which has no interaction with the other Samba-DCs on other schools. Note: But all Samba use the same Samba-SID.

Sysvol sync

As clients need to have access to the GPO files. They are stored in the SYSVOL share. As a client can connect to any DC the SYSVOL needs to be shared among all DCs hosts in the Domain. In UCS this is done by regularly scheduled rsync calls because current Samba does not provide SYSVOL-sync.
For ucs@school the SYSVOL share is synced across master and all school-slaves. So even if being on a different domain all Samba DCs have the same SYSVOL. See our documentation how to configure individual logon scripts in ucs@school environments.

How things work together

Step 1: RSAT

When a GPO is created with RSAT it usually gets attached to an object or ou (not container!).

Step 2: UCS Master

The GPO part on the UCS master creates the file and creates the GPO in Samba-LDAP tree to be attached to the desired object/ ou.

Step 3a: Samba DC (master) → OpenLDAP.

Once Samba is informed about the GPO it will sync it to OpenLDAP. Through Listener/ Notifier synchronization the GPO gets synced to all other UCS servers (including backup as well as all ucs@school servers).

Step 3b: SYSVOL Sync

As the GPO is placed as file in SYSVOL it gets replicated to all other servers (including backup as well as all ucs@school servers). This might take a small amount of time as the rsync will start on schedule (see above).

Step 4a: OpenLDAP → Samba DC (slave)

Once the object is replicated to OpenLDAP it will be synced (through s4-connector) to the Samba-DC on each school. Note: This is different from environments not using ucs@school as w/o ucs@school there is only a single s4-connector.

Step 4b: SYSVOL Sync

Just the same as Step 3b- SYSVOL gets synced among all schools.

Step 5: GPO → client

Finally the client logging on to the Samba DC reads Samba-LDAP and it’s assigned policies. With this information it tries to access the GPO files in SYSVOL to read them. Once read, the GPO gets applied on the client.

Explaining Graph

Just as additional information a draw about the components.
IMG_20181129_130520808

Samba 4 Troubleshooting
Mastodon