[Samba] Fwd: RE: Problems in applying GPO and DNS domain name resolution issues

Anantha Raghava raghav at exzatechconsulting.com
Thu Jun 8 16:05:48 UTC 2017


Hello,

Apart from the issues related to DC DB corruption we have observed few 
other issues:

a. Domain User profile including domain password gets cached on the 
client PC and does not refresh itself.

     i. Administrator account used while joining Windows 7 or Windows XP 
Workstation to Domain. The Workstation joins the domain properly. The 
Administrator password is changed over a period of time. When we attempt 
to remove the workstation from Domain, the Workstation seeks the 
Administrator's password that was used during Domain join process and 
not the changed one. This is very strange. Also, if the user changes his 
password, the changed password will not take effect till the workstation 
is rebooted.

b. The DNS information is also cached in the workstation and the same is 
not getting refreshed. Sometime the name resolution works and sometimes 
not. Incidentally, we have retained only one DC in our setup. We demoted 
remaining 3 DCs just confirm.

     i. NS entry for DC1 shows as static in DNS and does not get 
updated, whereas the SOA entry is getting properly updated in the DNS 
with proper time stamp. All client entries are getting updated properly 
dynamically.

c. Policies do not get applied uniformly.

We checked the DHCP server and network as well but found no errors 
anywhere.

Can someone help us resolve the above. These are turning out to be 
critical for us.

We are using Version 4.6.3

-- 

Thanks & Regards,


Anantha Raghava

eXzaTech Consulting And Services Pvt. Ltd.

Ph: +91-9538849179, E-mail: raghav at exzatechconsulting.com 
<mailto:raghav at exzatechconsulting.com>

URL: http://www.exzatechconsulting.com <http://www.exzatechconsulting.com/>



DISCLAIMER:
This e-mail communication and any attachments may be privileged and 
confidential to eXza Technology Consulting & Services, and are intended 
only for the use of the recipients named above If you are not the 
addressee you may not copy, forward, disclose or use any part of it. If 
you have received this message in error, please delete it and all copies 
from your system and notify the sender immediately by return e-mail. 
Internet communications cannot be guaranteed to be timely, secure, error 
or virus-free. The sender does not accept liability for any errors or 
omissions.


Do not print this e-mail unless required. Save Paper & trees.




On 25 May 2017 00:19, "L.P.H. van Belle" <belle at bazuin.nl 
<mailto:belle at bazuin.nl>> wrote:

    Hai,
    i think your ad database is out of sync somehow.
    turn on all dc's , wait a few min, depening on how big the ad is.
    run on very dc: samba-tools dbcheck
    you probely get errors, but question is how many per dc.
    this checks the local database per server.
    ( dont fix yet, first collect all info. )
    next, run : samba-tool drs showrepl
    this shows the database replication status.
    take note of time stamps which dc is updated and errors.
    i also suggest you check the "client" dns resolving of the server
    and check on a pc also.
    ping dc1(-2-3).domain.tld and ping domain.tld.
    check your resolv.conf setup on the server. make sure all have the
    correct search domain first.
    for the pc, check primary dnsdomain, and search domain.
    if the "client" resolving is wrong and dc get out of sync, you have
    strange errors.
    then review these (again), its a b.. but the helps understanding
    what happend and how to fix or wat the best fix is.
    https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
    <https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End>
    https://wiki.samba.org/index.php/Verifying_the_Directory_Replication_Statuses
    <https://wiki.samba.org/index.php/Verifying_the_Directory_Replication_Statuses>

    https://wiki.samba.org/index.php/Manually_Replicating_Directory_Partitions
    <https://wiki.samba.org/index.php/Manually_Replicating_Directory_Partitions>

    I had a simalar problem last week, pc unable to login the domain
    with message no trust.
    my ad databases where out of sync, the above steps where what i did
    to find them.
    i ended manualy fixing 1 dc with 4 errors. ( the other had 600+
    found with dbcheck )
    the drs showreply showed as of when it happend, that match with my
    user messages.
    and after the manualy replication, a reboot of the pc and problem
    was gone.
    See what you find, if you have more questions, please mail the samba
    list.
    As of today i have 2 week vakantion, so im no so quick in responding
    and posting there helps you also,
    because i dont know or see verything, there are more eyes on the
    mainling list.
    For so far, good luck,
    Louis

        ------------------------------------------------------------------------
        *Van:* Anantha Raghava [mailto:raghav at exzatechconsulting.com
        <mailto:raghav at exzatechconsulting.com>]
        *Verzonden:* woensdag 24 mei 2017 20:09
        *Aan:* L.P.H. van Belle
        *CC:* ravi.bhat at exzatechconsulting.com
        <mailto:ravi.bhat at exzatechconsulting.com>
        *Onderwerp:* Re: [Samba] Problems in applying GPO and DNS domain
        name resolution issues

        Hello Louis,

        Thanks for showing us the way.

        Please find our smb.conf attached.

        Now we have demoted two of our DCs which were down. After doing
        so, all dynamic entries that were missing for last 4 days
        started coming into DNS.

        However, one important we observed. Still our primary DNS does
        not properly all the time. It is erratic. Many a time we have to
        release and renew the IP on the client and DNS responds to
        domain or domain control queries.

        As we understand, as you have mentioned, the DC and DNS have to
        work even if two of three our Domain controllers are offline.
        But it is not working that way.

        As you have sought, the event IDs and messages are as below:

        1. Event ID: 1054, Date : 24-05-2017, time : 9:26:09 - Message :
        The processing of Group Policy failed. Windows could not obtain
        the name of the Domain Controller. This could be because of name
        resolution failure. Verify your DNS is configured and is working
        properly.

        2. Event ID: 1053, Date : 24-05-2017, time : 9:26:36 - Message :
        The processing of Group Policy failed. This could be because of
        following:

             a. Name resolution failure on current domain controller

             b. Active Directory Replication latency  -/*This cannot be
        a possibility as only one domain controller is functional and
        other two are down.*/

        3. Event ID: 1014, Date : 24-05-2017, time : 9:31:27 - Message :
        Name resolution for the name dc1 timed out after none of the
        configured DNS servers responded - User is LOCAL SERVICE

        4. Event ID: 1054, Date : 24-05-2017, time : 9:31:27 - Message :
        The client was unable to validate the following as active DNS
        server(s) that can service the client. The server(s) may be
        temporarily unavailable, or may be incorrectly configured.
        172.20.107.30 - User : LOCAL SERVICE

        But the DC is continuously functional, and all other zones
        respond to queries except the AD Zone.

        All DCs were initially configured with internal DNS. When we
        observed the inconsistencies, we changed to BIND DNS.

        We also observed that Windows XP, 7, 8 & 10 workstations cache
        the user credentials and will not update, when credentials are
        updated by administrator on the DC. It is expected that when the
        user logs off and log back in, it should take the new
        credentials, but client workstations doesn't. They use the
        cached credentials, unless client workstation is rebooted. This
        is very strange.

        Now we are unable to pinpoint the issue whether it is the samba
        ad or bind dns or is it the client or the network that is culprit.

        Really do not know how to proceed further. Request for expert
        guidance.

        -- 

        Thanks & Regards,


        Anantha Raghava

        Do not print this e-mail unless required. Save Paper & trees.

        On 24/05/17 5:40 PM, L.P.H. van Belle wrote:
>         how to check you sysvol rights, have a look here :
>         https://support.microsoft.com/nl-nl/help/2838154/-permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-those-in-active-directory-message-when-you-run-gpmc
>         <https://support.microsoft.com/nl-nl/help/2838154/-permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-those-in-active-directory-message-when-you-run-gpmc>
>
>         The picture explains it.
>         Greetz,
>         Louis
>
>             ------------------------------------------------------------------------
>             *Van:* Anantha Raghava
>             [mailto:raghav at exzatechconsulting.com
>             <mailto:raghav at exzatechconsulting.com>]
>             *Verzonden:* woensdag 24 mei 2017 12:20
>             *Aan:* L.P.H. van Belle
>             *CC:* ravi.bhat at exzatechconsulting.com
>             <mailto:ravi.bhat at exzatechconsulting.com>
>             *Onderwerp:* Re: [Samba] Problems in applying GPO and DNS
>             domain name resolution issues
>
>             Hello Louis,
>
>             Add user system to sysvol
>
>             - How do I do it? Normally in Windows we do not do anything like this.
>             Should we have to add any parameter to our smb.conf?
>
>             I will share my smb.conf and named.conf separately.
>
>             -- 
>
>             Thanks & Regards,
>
>
>             Anantha Raghava
>
>             eXzaTech Consulting And Services Pvt. Ltd.
>
>
>             Do not print this e-mail unless required. Save Paper & trees.
>
>             On 24/05/17 12:59 PM, L.P.H. van Belle via samba wrote:
>>               
>>
>>>             -----Oorspronkelijk bericht-----
>>>             Van: samba [mailto:samba-bounces at lists.samba.org
>>>             <mailto:samba-bounces at lists.samba.org>] Namens
>>>             Anantha Raghava via samba
>>>             Verzonden: woensdag 24 mei 2017 5:39
>>>             Aan:samba at lists.samba.org <mailto:samba at lists.samba.org>
>>>             CC:ravi.bhat at ardos.in <mailto:ravi.bhat at ardos.in>
>>>             Onderwerp: [Samba] Problems in applying GPO and DNS domain
>>>             name resolution issues
>>>
>>>             Hi,
>>>
>>>             We are using Samba AD 4.6.3 and built it from source on
>>>             CentOS 7. The DNS back end is BIND 9.9.4
>>             .....
>>>             Thinking that ACLs on "Sysvol" are incorrect, we reset the
>>>             SYSVOL using "samba-tool ntacl sysvolrest" command. The
>>>             problems are persisting. Many client workstations, do not get
>>>             the policies.
>>             Add user system to sysvol, and dont run samba-tool ntacl sysvolreset again.
>>             Your GPOs should work fine, if not post the windows event id.
>>
>>
>>>             Another observation:
>>>
>>>             The DNS,when queried for domain name throws up the domain
>>>             controller address randomly. That is we have 3 Domain
>>>             controllers and two of them are turned off for confirming
>>>             whether there is any network issues. DNS randomly throws up
>>>             the domain controller details that are turned off and the
>>>             client workstation reports, cannot find the domain controller.
>>             Now thats something ive seen also.
>>             I see for example, my SOA record is set to DC2. i can change that to DC1 up the serial number.
>>
>>             Wait five min, check again, SOA back to DC2. Why cant explain it.
>>             I ignore it, everything works fine here.
>>
>>             For you, check in the DNS, with RSAT, in _msdcs.your.domain.tld.
>>             Are all the Aliase (CNAME) dc's there in GUID.
>>             And do you see all host A record for the DC's there?
>>
>>
>>>             Now our questions are:
>>>
>>>             a. Why the policy deployment is erratic?
>>             It not, its just a bug in the samba-tool script, it expects certain rights.
>>             Windows sets other rights.
>>
>>>             b. Is there a manner in which we can set the Domain
>>>             Controller priorities in DNS?
>>             Yes you can. More info about that in :
>>             https://technet.microsoft.com/en-us/library/cc978267.aspx
>>             <https://technet.microsoft.com/en-us/library/cc978267.aspx>
>>             https://technet.microsoft.com/en-us/library/cc772592
>>             <https://technet.microsoft.com/en-us/library/cc772592>  
>>
>>             But this should not be needed, and i dont advice it to set it.
>>             If you setup is correct, you should be able to login even when you turn off 2 out of 3 DC.s
>>
>>
>>             Greetz,
>>
>>             Louis
>>
>>
>>
>>>             Await some guidance.
>>>
>>>             -- 
>>>
>>>             Thanks & Regards,
>>>
>>>
>>>             Anantha Raghava
>>>
>>>
>>>
>>>             DISCLAIMER:
>>>             This e-mail communication and any attachments may be privileged and
>>>             confidential to eXza Technology Consulting & Services, and
>>>             are intended
>>>             only for the use of the recipients named above If you are not the
>>>             addressee you may not copy, forward, disclose or use any part
>>>             of it. If
>>>             you have received this message in error, please delete it and
>>>             all copies
>>>             from your system and notify the sender immediately by return e-mail.
>>>             Internet communications cannot be guaranteed to be timely,
>>>             secure, error
>>>             or virus-free. The sender does not accept liability for any errors or
>>>             omissions.
>>>
>>>
>>>             Do not print this e-mail unless required. Save Paper & trees.
>>>
>>>             -- 
>>>             To unsubscribe from this list go to the following URL and read the
>>>             instructions:https://lists.samba.org/mailman/options/samba
>>>             <https://lists.samba.org/mailman/options/samba>
>>>
>>>


More information about the samba mailing list