problem with GPO Policy after rename

itdept_head itdept_head at grown-up.com
Wed Feb 1 02:52:13 UTC 2023 

On 31/1/2023, 10:50 PM, "samba-technical on behalf of David Mulder via samba-technical" <samba-technical-bounces at lists.samba.org <mailto:samba-technical-bounces at lists.samba.org> on behalf of samba-technical at lists.samba.org <mailto:samba-technical at lists.samba.org>> wrote:


On 1/30/23 11:46 PM, itdept_head via samba-technical wrote:
> Samba 4.14.4
> Migrated a domain. with a Rename.
> The domain is up and resolving correctly and logs in etc. (seems to function totally correctly)
>
>
>
>
> As stated in documents the GPO point to the old domain.
>
> Old: ns01.Jim.com
> New: org.bob.com
>
>
> However this hangs the windows 10 gpmc.msc tool.
>
> Forest: org.bob.com
> Domains: org.bob.com
> org.bob.com
>
> as soon as you select the “org.bob.com” to maintain the tree of users/gpo ,etc you get into an endless loop since “ns01.jim.com” cannot be found (also you might not want it referencing the old domain)
>
> “Domain: ns01.Jim.com”
> “The specified domain either does not exist or could not be contacted.”
> This then puts the MS tools into a tight loop with no cancel options.
>
>
> QUESTION:
> Where is this reference to “Domain: ns01.Jim.com”. kept in the LDAP.
> Totally deleting the GPO from SYSVOL AND going into CN=Policies.CN=System. To delete any used GPO links , and restarting the samba does not remove the references.
IIRC, these are kept in 'CN=Policies,CN=System' in ldap. I think the 
objectClass is 'groupPolicyContainer'. I'm just skimming through code to 
see these. You should be able to do a subtree search for 
'(objectClass=groupPolicyContainer)' to find all your GPOs.


-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com <mailto:dmulder at suse.com>
http://www.suse.com <http://www.suse.com>

Yep... I saw that..... but it's not where the actual reference that breaks GPMC & other MS tools sits... (I spend days playing about in obvious areas)
Even deleting the references in this does not clear  GPMC looping.

It's in the top level domain container..
objectCatagory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC={host name}
gPLink:

and there is one delimited string  in each "OU" that has any GPO set.
gPLink:	[LDAP://cn={59A490CC-59A6-4920-96A2-94A51F8EA1C3},cn=policies,cn=system,DC{old domain ref};0]
Edit or delete those strings and the GPMC is fixed up immediately. Does not even need a samba restart...

That's the magic source.

More information about the samba-technical mailing list