problem with GPO Policy after rename

Rowland Penny rpenny at samba.org
Tue Jan 31 15:09:39 UTC 2023 


On 31/01/2023 14:49, David Mulder via samba-technical wrote:
> On 1/30/23 11:46 PM, itdept_head via samba-technical wrote:
>> Samba 4.14.4
>> Migrated a domain. with a  Rename.
>> The domain is up and resolving correctly and logs in etc. (seems to 
>> function totally correctly)
>>
>>
>>
>>
>> As stated in documents the GPO point to the old domain.
>>
>> Old: ns01.Jim.com
>> New: org.bob.com
>>
>>
>> However this hangs the windows 10  gpmc.msc tool.
>>
>> Forest: org.bob.com
>> Domains: org.bob.com
>> org.bob.com
>>
>> as soon as you select the “org.bob.com” to maintain the tree of 
>> users/gpo ,etc you get into an endless loop since  “ns01.jim.com” 
>> cannot be found (also you might not want it referencing the old domain)
>>
>> “Domain: ns01.Jim.com”
>> “The specified domain either does not exist or could not be contacted.”
>> This then puts the MS tools into a tight loop with no cancel options.
>>
>>
>> QUESTION:
>> Where is this reference to  “Domain: ns01.Jim.com”. kept in the LDAP.
>> Totally deleting the GPO from SYSVOL AND  going into 
>> CN=Policies.CN=System. To delete any used GPO links ,  and restarting 
>> the  samba does not remove the references.
> IIRC, these are kept in 'CN=Policies,CN=System' in ldap. I think the 
> objectClass is 'groupPolicyContainer'. I'm just skimming through code to 
> see these. You should be able to do a subtree search for 
> '(objectClass=groupPolicyContainer)' to find all your GPOs.
> 

The problem is, if I understand it correctly, Samba doesn't support 
renaming a domain in the long term.

The 'rename' tool was added at the 4.9.0 release and it states this in 
the release notes:

Note that the renamed tool is currently not intended to support a 
long-term rename of the production domain.

It also says this:

Currently renaming the GPOs is not supported and would need to be done 
manually.

I haven't seen anything that says differently (there might be something, 
but I haven't seen it if there is.)

It would be great if renaming a domain does work, but I wouldn't 
recommend trying it in production.

Has anyone renamed a Samba domain and if so, does it work long term ?

Rowland

More information about the samba-technical mailing list