[Samba] Group Policy Issues

Anantha Raghava raghav at exzatechconsulting.com
Tue Dec 12 02:32:45 UTC 2017

Hello James,

After reducing the rsync execution time to 5 minutes from 30 minutes, 
the problem seems to have got fixed. However, we will continue to 
observe the setup for week.

Yes, I followed the 
The only difference being I am not using xinitd or a password file. I 
have created the ssh keys between all servers and rsync can login 
without any password.

PDC and DC1 etc., are just names for us to identify. We have all DC / 
pure DC environment. We are running samba version 4.7.1. We will upgrade 
it to 4.7.3 shortly.

Thanks for your suggestions and support.


Thanks & Regards,

Anantha Raghava

Do not print this e-mail unless required. Save Paper & trees.

On 11/12/17 6:43 PM, lingpanda101 via samba wrote:
> On 12/8/2017 9:39 PM, Anantha Raghava via samba wrote:
>> Hello James,
>> Thanks for your suggestion.
>> When we had two servers in the pool, we were pushing GPO using rsync 
>> from PDC at every 30 minutes. However when we added the two more 
>> domain controllers, our rsync script turned to be a pull from PDC 
>> every 30 minutes. Would this have made those policy objects 
>> inconsistent?
>> We have set up sysvol replication using rsync unidirectional that is 
>> a push from pdc.*******.com to dc1.*******.com every 30 minutes. 
>> However on the dc2.*******.com and dc3.********.com the cronjob 
>> executes on dc2.*******.com and dc3.*********.com every 30 minutes 
>> and pulls the contents of sysvol. cron job is working properly on all 
>> servers.
>> Surprising part is, in a specific network the client PCs fail to read 
>> and apply GPO. Whereas in other network, we find it is working 
>> properly. Command "gpresult /r" on client shows Group Policy applied 
>> from "pdc.******.com" whereas the logon sever remains either dc1 or 
>> dc2 or dc3 or pdc. The same pdc.********.com throws error in a 
>> specific network. This makes us think whether it is a network issue. 
>> One more important observation is if we stop samba-ad-dc on either 
>> dc2 or dc3 (two more domain controllers) even the specific network 
>> segment that is giving problem also works properly. This gives makes 
>> us to suspect the "GPO Pull" is making GPO inconsistent with PDC. 
>> Probably we have to push the GPO to all additional domain controllers 
>> from pdc.*********.com using rsync?
>> In fact, we have even tested, "software push" to clients using GPO, 
>> startup scripts etc., and every thing was working properly till 
>> inclusion of dc2 and dc3.
>> Your suggestions are welcome.
> Anatha,
>     You shouldn't be pushing the sysvol replication but rather pulling 
> them from for your DC you have chosen to make all GPO changes. from. 
> Did you follow the wiki here?
> https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround 
> I would also reduce your replication time to 5 minutes as per the wiki.
> You are also using terms such as PDC and DC it appears 
> interchangeably. I'm assuming you have a pure DC environment and not a 
> PDC.

More information about the samba mailing list