[Samba] GPO

Thu Apr 7 11:27:28 UTC 2016

Hai, 

The PC config looks ok.

Check your firewall settings on you pc and DC. 
Open 389 and 636  (TCP and UDP)

and test from the pc if you can telnet to port 53 of the DNS servers. 

Let me know the result. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Eben Victor
> Verzonden: donderdag 7 april 2016 12:16
> Aan: samba
> Onderwerp: Re: [Samba] GPO
> 
> Hi Louis,
> See below,
> C:\>ipconfig /all
> Windows IP Configuration
>    Host Name . . . . . . . . . . . . : EBEN-TEST-PC
>    Primary Dns Suffix  . . . . . . . : domain.corp
>    Node Type . . . . . . . . . . . . : Hybrid
>    IP Routing Enabled. . . . . . . . : No
>    WINS Proxy Enabled. . . . . . . . : No
>    DNS Suffix Search List. . . . . . : domain.corp
> Ethernet adapter Local Area Connection:
>    Connection-specific DNS Suffix  . : domain.corp
>    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
> Connection
>    Physical Address. . . . . . . . . : 00-0C-29-67-2C-53
>    DHCP Enabled. . . . . . . . . . . : Yes
>    Autoconfiguration Enabled . . . . : Yes
>    IPv4 Address. . . . . . . . . . . : 172.16.210.130(Preferred)
>    Subnet Mask . . . . . . . . . . . : 255.255.255.0
>    Lease Obtained. . . . . . . . . . : 06 April 2016 01:17:33 PM
>    Lease Expires . . . . . . . . . . : 06 April 2016 03:14:04 PM
>    Default Gateway . . . . . . . . . : 172.16.210.2
>    DHCP Server . . . . . . . . . . . : 172.16.210.254
>    DNS Servers . . . . . . . . . . . : 10.102.219.51
>                                        10.102.219.50
>                                        10.132.33.48
>                                        10.132.33.2
>    Primary WINS Server . . . . . . . : 172.16.210.2
>    NetBIOS over Tcpip. . . . . . . . : Enabled
> I have already tested disjoin and rejoining the PC, still the same
> error. I did a clean installation with new hostname as well.
> Also see below Microsoft analyst report
> User Logon Info
> ************
> User Name                   : domain\user
> User SID                    : S-1-5-21-801203796-115225906-466470621-
> 4513
> User Object
> DN              : CN=user##SELECTION_END##,OU=Users,DC=domain,DC=corp
> User Password Last Set      : 7/16/2015 3:20:41 PM
> UserAccountControl Value    : {NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD}
> Logon Authentication Method : Kerberos
> User Domain                 : domain.corp
> Computer Site               : Default-First-Site-Name
> Computer Role               : Client
> Computer Operating System   : Windows 7
> Computer Domain             : domain.corp
> Domain Controller           : {zafprdc001.domain.corp}
> Global Catalog              : {zacprdc001.domain.corp}
> 
> System Logs:
> ***********
> 11/2/2015 10:15:00 AM Warning EBEN-TEST-PC.domain.corp 1014 Microsoft-
> Windows-DNS-Client N/A NT AUTHORITY\NETWORK SERVICE Name resolution for
> the name _ldap._tcp.dc._msdcs.domain.corp timed out after none of the
> configured DNS servers responded.
> http://social.technet.microsoft.com/wiki/contents/articles/3336.event-i
> d-1014-microsoft-windows-dns-client.aspx
> 
> 11/2/2015 10:15:02 AM Error EBEN-TEST-PC.domain.corp 5719 NETLOGON N/A
> N/A This computer was not able to set up a secure session with a domain
> controller in domain domain due to the following:  There are currently
> no logon servers available to service the logon request.  This may lead
> to authentication problems. Make sure that this computer is connected
> to the network. If the problem persists, please contact your domain
> administrator.   ADDITIONAL INFO  If this computer is a domain
> controller for the specified domain, it sets up the secure session to
> the primary domain controller emulator in the specified domain.
> Otherwise, this computer sets up the secure session to any domain
> controller in the specified domain.
> https://support.microsoft.com/en-us/kb/938449
> 
> 11/2/2015 10:15:11 AM Error EBEN-TEST-PC.domain.corp 1058 Microsoft-
> Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM The processing of Group
> Policy failed. Windows attempted to read the file
> \\domain.corp\SysVol\domain.corp\Policies\{CCD95983-4A18-4AA7-9466-
> D95765CC1AD0}\gpt.ini from a domain controller and was not successful.
> Group Policy settings may not be applied until this event is resolved.
> This issue may be transient and could be caused by one or more of the
> following:  a) Name Resolution/Network Connectivity to the current
> domain controller.  b) File Replication Service Latency (a file created
> on another domain controller has not replicated to the current domain
> controller).  c) The Distributed File System (DFS) client has been
> disabled.
> https://technet.microsoft.com/en-us/library/cc727259(v=ws.10).aspx
> 
> 11/2/2015 10:15:53 AM Error EBEN-TEST-PC.domain.corp 1110 Microsoft-
> Windows-GroupPolicy N/A domain\EBEN-TEST-PC The processing of Group
> Policy failed. Windows could not determine if the user and computer
> accounts are in the same forest. Ensure the user domain name matches
> the name of a trusted domain that resides in the same forest as the
> computer account.
> https://technet.microsoft.com/en-us/library/cc727342(v=ws.10).aspx
> 
> Group policy Logs:
> **************
> 11/2/2015 10:15:11 AM Error EBEN-TEST-PC.domain.corp 7017 Microsoft-
> Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM The system calls to access
> specified file completed.
> \\domain.corp\SysVol\domain.corp\Policies\{CCD95983-4A18-4AA7-9466-
> D95765CC1AD0}\gpt.ini The call failed after 827 milliseconds.
> 11/2/2015 10:15:12 AM Error EBEN-TEST-PC.domain.corp 7000 Microsoft-
> Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM Computer boot policy
> processing failed for domain\EBEN-TEST-PC$ in 4 seconds.
> 11/2/2015 10:15:53 AM Error EBEN-TEST-PC.domain.corp 7001 Microsoft-
> Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM User logon policy
> processing failed for domain\EBEN-TEST-PC in 0 seconds.
> 11/2/2015 10:16:25 AM Error EBEN-TEST-PC.domain.corp 7005 Microsoft-
> Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM Manual processing of policy
> failed for user domain\EBEN-TEST-PC in 0 seconds.
> 
> Gpresult:
> *******
> INFO: The user "domain\user" does not have RSOP data.
> 
> 07/21/2015 02:11:48 AM   Error         EBEN-TEST-PC.domain 4205
> Microsoft-Windows-NlaSvc            Gateway Resolution NT
> AUTHORITY\NETWORK SERVICE      Gateway resolution failed on interface
> {581B9AD1-62E8-4689-9338-E2568B7DD014} for 10.23.199.1 with error: 0x43
> 07/22/2015 02:10:24 AM   Error         EBEN-TEST-PC.domain 4343
> Microsoft-Windows-NlaSvc            Ldap Authenticatio NT
> AUTHORITY\NETWORK SERVICE      LDAP authentication on interface
> {581B9AD1-62E8-4689-9338-E2568B7DD014} (10.23.199.220) failed with
> error 0x56
> LDAP errors:
> https://support.microsoft.com/en-us/kb/218185
> -----Original Message-----
> From: bar???? tombul <bbtombul at gmail.com>
> To: Eben Victor <eben.victor at vcontractor.co.za>
> Cc: samba <samba at lists.samba.org>
> Subject: Re: [Samba] GPO
> Date: Wed, 6 Apr 2016 14:10:10 +0300
> this command >>  samba-tool ntacl sysvolreset
> 2016-04-06 13:34 GMT+03:00 Eben Victor <eben.victor at vcontractor.co.za>:
> > Hi All,
> > I create a Samba domain and works it's great, the issue that I have
> > is with the GPO's.When applying GPO's then only the computer Policy
> > is applied and not the user GPO. I keep on receiving below error.
> > Has anybody else perhaps been experiencing the same issues?
> >
> > C:\>gpupdate /force
> > Updating Policy...
> >
> > User policy could not be updated successfully. The following errors
> > were encountered:
> >
> > The processing of Group Policy failed. Windows could not determine if
> > the user and computer accounts are in the same forest. Ensure the
> > user domain name matches the name of a trusted domain that resides in
> > the same forest as the computer account.
> > Computer Policy update has completed successfully.
> >
> > To diagnose the failure, review the event log or run GPRESULT /H
> > GPReport.html from the command line to access information about Group
> > Policy results.4
> >
> > Kind Regards
> > ?This e-mail is sent on the Terms and Conditions that can be accessed
> > by Clicking on this link https://webmail.vodacom.co.za/tc/default.htm
> > l "
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> ?This e-mail is sent on the Terms and Conditions that can be accessed by
> Clicking on this link https://webmail.vodacom.co.za/tc/default.html "
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba