[Samba] Group Policy Issues
Anantha Raghava
raghav at exzatechconsulting.com
Tue Dec 12 02:32:45 UTC 2017
Hello James,
After reducing the rsync execution time to 5 minutes from 30 minutes,
the problem seems to have got fixed. However, we will continue to
observe the setup for week.
Yes, I followed the
https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround.
The only difference being I am not using xinitd or a password file. I
have created the ssh keys between all servers and rsync can login
without any password.
PDC and DC1 etc., are just names for us to identify. We have all DC /
pure DC environment. We are running samba version 4.7.1. We will upgrade
it to 4.7.3 shortly.
Thanks for your suggestions and support.
--
Thanks & Regards,
Anantha Raghava
Do not print this e-mail unless required. Save Paper & trees.
On 11/12/17 6:43 PM, lingpanda101 via samba wrote:
> On 12/8/2017 9:39 PM, Anantha Raghava via samba wrote:
>> Hello James,
>>
>> Thanks for your suggestion.
>>
>> When we had two servers in the pool, we were pushing GPO using rsync
>> from PDC at every 30 minutes. However when we added the two more
>> domain controllers, our rsync script turned to be a pull from PDC
>> every 30 minutes. Would this have made those policy objects
>> inconsistent?
>>
>> We have set up sysvol replication using rsync unidirectional that is
>> a push from pdc.*******.com to dc1.*******.com every 30 minutes.
>> However on the dc2.*******.com and dc3.********.com the cronjob
>> executes on dc2.*******.com and dc3.*********.com every 30 minutes
>> and pulls the contents of sysvol. cron job is working properly on all
>> servers.
>>
>> Surprising part is, in a specific network the client PCs fail to read
>> and apply GPO. Whereas in other network, we find it is working
>> properly. Command "gpresult /r" on client shows Group Policy applied
>> from "pdc.******.com" whereas the logon sever remains either dc1 or
>> dc2 or dc3 or pdc. The same pdc.********.com throws error in a
>> specific network. This makes us think whether it is a network issue.
>> One more important observation is if we stop samba-ad-dc on either
>> dc2 or dc3 (two more domain controllers) even the specific network
>> segment that is giving problem also works properly. This gives makes
>> us to suspect the "GPO Pull" is making GPO inconsistent with PDC.
>> Probably we have to push the GPO to all additional domain controllers
>> from pdc.*********.com using rsync?
>>
>> In fact, we have even tested, "software push" to clients using GPO,
>> startup scripts etc., and every thing was working properly till
>> inclusion of dc2 and dc3.
>>
>> Your suggestions are welcome.
>>
> Anatha,
>
> You shouldn't be pushing the sysvol replication but rather pulling
> them from for your DC you have chosen to make all GPO changes. from.
> Did you follow the wiki here?
>
> https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
>
>
> I would also reduce your replication time to 5 minutes as per the wiki.
>
> You are also using terms such as PDC and DC it appears
> interchangeably. I'm assuming you have a pure DC environment and not a
> PDC.
>
>
More information about the samba
mailing list