[Samba] GPO

Eben Victor eben.victor at vcontractor.co.za
Thu Apr 7 10:15:34 UTC 2016 

Hi Louis,
See below, 
C:\>ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : EBEN-TEST-PC
   Primary Dns Suffix  . . . . . . . : domain.corp
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.corp
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . : domain.corp
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
Connection
   Physical Address. . . . . . . . . : 00-0C-29-67-2C-53
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 172.16.210.130(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 06 April 2016 01:17:33 PM
   Lease Expires . . . . . . . . . . : 06 April 2016 03:14:04 PM
   Default Gateway . . . . . . . . . : 172.16.210.2
   DHCP Server . . . . . . . . . . . : 172.16.210.254
   DNS Servers . . . . . . . . . . . : 10.102.219.51
                                       10.102.219.50
                                       10.132.33.48
                                       10.132.33.2
   Primary WINS Server . . . . . . . : 172.16.210.2
   NetBIOS over Tcpip. . . . . . . . : Enabled
I have already tested disjoin and rejoining the PC, still the same
error. I did a clean installation with new hostname as well.
Also see below Microsoft analyst report
User Logon Info
************
User Name                   : domain\user
User SID                    : S-1-5-21-801203796-115225906-466470621-
4513
User Object
DN              : CN=user##SELECTION_END##,OU=Users,DC=domain,DC=corp
User Password Last Set      : 7/16/2015 3:20:41 PM
UserAccountControl Value    : {NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD}
Logon Authentication Method : Kerberos
User Domain                 : domain.corp
Computer Site               : Default-First-Site-Name
Computer Role               : Client
Computer Operating System   : Windows 7
Computer Domain             : domain.corp
Domain Controller           : {zafprdc001.domain.corp}
Global Catalog              : {zacprdc001.domain.corp}
 
System Logs:
***********
11/2/2015 10:15:00 AM Warning EBEN-TEST-PC.domain.corp 1014 Microsoft-
Windows-DNS-Client N/A NT AUTHORITY\NETWORK SERVICE Name resolution for
the name _ldap._tcp.dc._msdcs.domain.corp timed out after none of the
configured DNS servers responded. 
http://social.technet.microsoft.com/wiki/contents/articles/3336.event-i
d-1014-microsoft-windows-dns-client.aspx
 
11/2/2015 10:15:02 AM Error EBEN-TEST-PC.domain.corp 5719 NETLOGON N/A
N/A This computer was not able to set up a secure session with a domain
controller in domain domain due to the following:  There are currently
no logon servers available to service the logon request.  This may lead
to authentication problems. Make sure that this computer is connected
to the network. If the problem persists, please contact your domain
administrator.   ADDITIONAL INFO  If this computer is a domain
controller for the specified domain, it sets up the secure session to
the primary domain controller emulator in the specified domain.
Otherwise, this computer sets up the secure session to any domain
controller in the specified domain. 
https://support.microsoft.com/en-us/kb/938449
 
11/2/2015 10:15:11 AM Error EBEN-TEST-PC.domain.corp 1058 Microsoft-
Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM The processing of Group
Policy failed. Windows attempted to read the file
\\domain.corp\SysVol\domain.corp\Policies\{CCD95983-4A18-4AA7-9466-
D95765CC1AD0}\gpt.ini from a domain controller and was not successful.
Group Policy settings may not be applied until this event is resolved.
This issue may be transient and could be caused by one or more of the
following:  a) Name Resolution/Network Connectivity to the current
domain controller.  b) File Replication Service Latency (a file created
on another domain controller has not replicated to the current domain
controller).  c) The Distributed File System (DFS) client has been
disabled. 
https://technet.microsoft.com/en-us/library/cc727259(v=ws.10).aspx
 
11/2/2015 10:15:53 AM Error EBEN-TEST-PC.domain.corp 1110 Microsoft-
Windows-GroupPolicy N/A domain\EBEN-TEST-PC The processing of Group
Policy failed. Windows could not determine if the user and computer
accounts are in the same forest. Ensure the user domain name matches
the name of a trusted domain that resides in the same forest as the
computer account.
https://technet.microsoft.com/en-us/library/cc727342(v=ws.10).aspx
 
Group policy Logs:
**************
11/2/2015 10:15:11 AM Error EBEN-TEST-PC.domain.corp 7017 Microsoft-
Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM The system calls to access
specified file completed. 
\\domain.corp\SysVol\domain.corp\Policies\{CCD95983-4A18-4AA7-9466-
D95765CC1AD0}\gpt.ini The call failed after 827 milliseconds. 
11/2/2015 10:15:12 AM Error EBEN-TEST-PC.domain.corp 7000 Microsoft-
Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM Computer boot policy
processing failed for domain\EBEN-TEST-PC$ in 4 seconds. 
11/2/2015 10:15:53 AM Error EBEN-TEST-PC.domain.corp 7001 Microsoft-
Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM User logon policy
processing failed for domain\EBEN-TEST-PC in 0 seconds. 
11/2/2015 10:16:25 AM Error EBEN-TEST-PC.domain.corp 7005 Microsoft-
Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM Manual processing of policy
failed for user domain\EBEN-TEST-PC in 0 seconds. 
 
Gpresult:
*******
INFO: The user "domain\user" does not have RSOP data.
 
07/21/2015 02:11:48 AM   Error         EBEN-TEST-PC.domain 4205   
Microsoft-Windows-NlaSvc            Gateway Resolution NT
AUTHORITY\NETWORK SERVICE      Gateway resolution failed on interface
{581B9AD1-62E8-4689-9338-E2568B7DD014} for 10.23.199.1 with error: 0x43
07/22/2015 02:10:24 AM   Error         EBEN-TEST-PC.domain 4343   
Microsoft-Windows-NlaSvc            Ldap Authenticatio NT
AUTHORITY\NETWORK SERVICE      LDAP authentication on interface
{581B9AD1-62E8-4689-9338-E2568B7DD014} (10.23.199.220) failed with
error 0x56
LDAP errors:
https://support.microsoft.com/en-us/kb/218185
-----Original Message-----
From: barış tombul <bbtombul at gmail.com>
To: Eben Victor <eben.victor at vcontractor.co.za>
Cc: samba <samba at lists.samba.org>
Subject: Re: [Samba] GPO
Date: Wed, 6 Apr 2016 14:10:10 +0300
this command >>  samba-tool ntacl sysvolreset
2016-04-06 13:34 GMT+03:00 Eben Victor <eben.victor at vcontractor.co.za>:
> Hi All,
> I create a Samba domain and works it's great, the issue that I have
> is with the GPO's.When applying GPO's then only the computer Policy
> is applied and not the user GPO. I keep on receiving below error.
> Has anybody else perhaps been experiencing the same issues?
> 
> C:\>gpupdate /force
> Updating Policy...
> 
> User policy could not be updated successfully. The following errors
> were encountered:
> 
> The processing of Group Policy failed. Windows could not determine if
> the user and computer accounts are in the same forest. Ensure the
> user domain name matches the name of a trusted domain that resides in
> the same forest as the computer account.
> Computer Policy update has completed successfully.
> 
> To diagnose the failure, review the event log or run GPRESULT /H
> GPReport.html from the command line to access information about Group
> Policy results.4
> 
> Kind Regards
> “This e-mail is sent on the Terms and Conditions that can be accessed
> by Clicking on this link https://webmail.vodacom.co.za/tc/default.htm
> l "
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link https://webmail.vodacom.co.za/tc/default.html "

More information about the samba mailing list