[Samba] Fwd: RE: Problems in applying GPO and DNS domain name resolution issues
Anantha Raghava
raghav at exzatechconsulting.com
Thu Jun 8 16:05:48 UTC 2017
Hello,
Apart from the issues related to DC DB corruption we have observed few
other issues:
a. Domain User profile including domain password gets cached on the
client PC and does not refresh itself.
i. Administrator account used while joining Windows 7 or Windows XP
Workstation to Domain. The Workstation joins the domain properly. The
Administrator password is changed over a period of time. When we attempt
to remove the workstation from Domain, the Workstation seeks the
Administrator's password that was used during Domain join process and
not the changed one. This is very strange. Also, if the user changes his
password, the changed password will not take effect till the workstation
is rebooted.
b. The DNS information is also cached in the workstation and the same is
not getting refreshed. Sometime the name resolution works and sometimes
not. Incidentally, we have retained only one DC in our setup. We demoted
remaining 3 DCs just confirm.
i. NS entry for DC1 shows as static in DNS and does not get
updated, whereas the SOA entry is getting properly updated in the DNS
with proper time stamp. All client entries are getting updated properly
dynamically.
c. Policies do not get applied uniformly.
We checked the DHCP server and network as well but found no errors
anywhere.
Can someone help us resolve the above. These are turning out to be
critical for us.
We are using Version 4.6.3
--
Thanks & Regards,
Anantha Raghava
eXzaTech Consulting And Services Pvt. Ltd.
Ph: +91-9538849179, E-mail: raghav at exzatechconsulting.com
<mailto:raghav at exzatechconsulting.com>
URL: http://www.exzatechconsulting.com <http://www.exzatechconsulting.com/>
DISCLAIMER:
This e-mail communication and any attachments may be privileged and
confidential to eXza Technology Consulting & Services, and are intended
only for the use of the recipients named above If you are not the
addressee you may not copy, forward, disclose or use any part of it. If
you have received this message in error, please delete it and all copies
from your system and notify the sender immediately by return e-mail.
Internet communications cannot be guaranteed to be timely, secure, error
or virus-free. The sender does not accept liability for any errors or
omissions.
Do not print this e-mail unless required. Save Paper & trees.
On 25 May 2017 00:19, "L.P.H. van Belle" <belle at bazuin.nl
<mailto:belle at bazuin.nl>> wrote:
Hai,
i think your ad database is out of sync somehow.
turn on all dc's , wait a few min, depening on how big the ad is.
run on very dc: samba-tools dbcheck
you probely get errors, but question is how many per dc.
this checks the local database per server.
( dont fix yet, first collect all info. )
next, run : samba-tool drs showrepl
this shows the database replication status.
take note of time stamps which dc is updated and errors.
i also suggest you check the "client" dns resolving of the server
and check on a pc also.
ping dc1(-2-3).domain.tld and ping domain.tld.
check your resolv.conf setup on the server. make sure all have the
correct search domain first.
for the pc, check primary dnsdomain, and search domain.
if the "client" resolving is wrong and dc get out of sync, you have
strange errors.
then review these (again), its a b.. but the helps understanding
what happend and how to fix or wat the best fix is.
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
<https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End>
https://wiki.samba.org/index.php/Verifying_the_Directory_Replication_Statuses
<https://wiki.samba.org/index.php/Verifying_the_Directory_Replication_Statuses>
https://wiki.samba.org/index.php/Manually_Replicating_Directory_Partitions
<https://wiki.samba.org/index.php/Manually_Replicating_Directory_Partitions>
I had a simalar problem last week, pc unable to login the domain
with message no trust.
my ad databases where out of sync, the above steps where what i did
to find them.
i ended manualy fixing 1 dc with 4 errors. ( the other had 600+
found with dbcheck )
the drs showreply showed as of when it happend, that match with my
user messages.
and after the manualy replication, a reboot of the pc and problem
was gone.
See what you find, if you have more questions, please mail the samba
list.
As of today i have 2 week vakantion, so im no so quick in responding
and posting there helps you also,
because i dont know or see verything, there are more eyes on the
mainling list.
For so far, good luck,
Louis
------------------------------------------------------------------------
*Van:* Anantha Raghava [mailto:raghav at exzatechconsulting.com
<mailto:raghav at exzatechconsulting.com>]
*Verzonden:* woensdag 24 mei 2017 20:09
*Aan:* L.P.H. van Belle
*CC:* ravi.bhat at exzatechconsulting.com
<mailto:ravi.bhat at exzatechconsulting.com>
*Onderwerp:* Re: [Samba] Problems in applying GPO and DNS domain
name resolution issues
Hello Louis,
Thanks for showing us the way.
Please find our smb.conf attached.
Now we have demoted two of our DCs which were down. After doing
so, all dynamic entries that were missing for last 4 days
started coming into DNS.
However, one important we observed. Still our primary DNS does
not properly all the time. It is erratic. Many a time we have to
release and renew the IP on the client and DNS responds to
domain or domain control queries.
As we understand, as you have mentioned, the DC and DNS have to
work even if two of three our Domain controllers are offline.
But it is not working that way.
As you have sought, the event IDs and messages are as below:
1. Event ID: 1054, Date : 24-05-2017, time : 9:26:09 - Message :
The processing of Group Policy failed. Windows could not obtain
the name of the Domain Controller. This could be because of name
resolution failure. Verify your DNS is configured and is working
properly.
2. Event ID: 1053, Date : 24-05-2017, time : 9:26:36 - Message :
The processing of Group Policy failed. This could be because of
following:
a. Name resolution failure on current domain controller
b. Active Directory Replication latency -/*This cannot be
a possibility as only one domain controller is functional and
other two are down.*/
3. Event ID: 1014, Date : 24-05-2017, time : 9:31:27 - Message :
Name resolution for the name dc1 timed out after none of the
configured DNS servers responded - User is LOCAL SERVICE
4. Event ID: 1054, Date : 24-05-2017, time : 9:31:27 - Message :
The client was unable to validate the following as active DNS
server(s) that can service the client. The server(s) may be
temporarily unavailable, or may be incorrectly configured.
172.20.107.30 - User : LOCAL SERVICE
But the DC is continuously functional, and all other zones
respond to queries except the AD Zone.
All DCs were initially configured with internal DNS. When we
observed the inconsistencies, we changed to BIND DNS.
We also observed that Windows XP, 7, 8 & 10 workstations cache
the user credentials and will not update, when credentials are
updated by administrator on the DC. It is expected that when the
user logs off and log back in, it should take the new
credentials, but client workstations doesn't. They use the
cached credentials, unless client workstation is rebooted. This
is very strange.
Now we are unable to pinpoint the issue whether it is the samba
ad or bind dns or is it the client or the network that is culprit.
Really do not know how to proceed further. Request for expert
guidance.
--
Thanks & Regards,
Anantha Raghava
Do not print this e-mail unless required. Save Paper & trees.
On 24/05/17 5:40 PM, L.P.H. van Belle wrote:
> how to check you sysvol rights, have a look here :
> https://support.microsoft.com/nl-nl/help/2838154/-permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-those-in-active-directory-message-when-you-run-gpmc
> <https://support.microsoft.com/nl-nl/help/2838154/-permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-those-in-active-directory-message-when-you-run-gpmc>
>
> The picture explains it.
> Greetz,
> Louis
>
> ------------------------------------------------------------------------
> *Van:* Anantha Raghava
> [mailto:raghav at exzatechconsulting.com
> <mailto:raghav at exzatechconsulting.com>]
> *Verzonden:* woensdag 24 mei 2017 12:20
> *Aan:* L.P.H. van Belle
> *CC:* ravi.bhat at exzatechconsulting.com
> <mailto:ravi.bhat at exzatechconsulting.com>
> *Onderwerp:* Re: [Samba] Problems in applying GPO and DNS
> domain name resolution issues
>
> Hello Louis,
>
> Add user system to sysvol
>
> - How do I do it? Normally in Windows we do not do anything like this.
> Should we have to add any parameter to our smb.conf?
>
> I will share my smb.conf and named.conf separately.
>
> --
>
> Thanks & Regards,
>
>
> Anantha Raghava
>
> eXzaTech Consulting And Services Pvt. Ltd.
>
>
> Do not print this e-mail unless required. Save Paper & trees.
>
> On 24/05/17 12:59 PM, L.P.H. van Belle via samba wrote:
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org
>>> <mailto:samba-bounces at lists.samba.org>] Namens
>>> Anantha Raghava via samba
>>> Verzonden: woensdag 24 mei 2017 5:39
>>> Aan:samba at lists.samba.org <mailto:samba at lists.samba.org>
>>> CC:ravi.bhat at ardos.in <mailto:ravi.bhat at ardos.in>
>>> Onderwerp: [Samba] Problems in applying GPO and DNS domain
>>> name resolution issues
>>>
>>> Hi,
>>>
>>> We are using Samba AD 4.6.3 and built it from source on
>>> CentOS 7. The DNS back end is BIND 9.9.4
>> .....
>>> Thinking that ACLs on "Sysvol" are incorrect, we reset the
>>> SYSVOL using "samba-tool ntacl sysvolrest" command. The
>>> problems are persisting. Many client workstations, do not get
>>> the policies.
>> Add user system to sysvol, and dont run samba-tool ntacl sysvolreset again.
>> Your GPOs should work fine, if not post the windows event id.
>>
>>
>>> Another observation:
>>>
>>> The DNS,when queried for domain name throws up the domain
>>> controller address randomly. That is we have 3 Domain
>>> controllers and two of them are turned off for confirming
>>> whether there is any network issues. DNS randomly throws up
>>> the domain controller details that are turned off and the
>>> client workstation reports, cannot find the domain controller.
>> Now thats something ive seen also.
>> I see for example, my SOA record is set to DC2. i can change that to DC1 up the serial number.
>>
>> Wait five min, check again, SOA back to DC2. Why cant explain it.
>> I ignore it, everything works fine here.
>>
>> For you, check in the DNS, with RSAT, in _msdcs.your.domain.tld.
>> Are all the Aliase (CNAME) dc's there in GUID.
>> And do you see all host A record for the DC's there?
>>
>>
>>> Now our questions are:
>>>
>>> a. Why the policy deployment is erratic?
>> It not, its just a bug in the samba-tool script, it expects certain rights.
>> Windows sets other rights.
>>
>>> b. Is there a manner in which we can set the Domain
>>> Controller priorities in DNS?
>> Yes you can. More info about that in :
>> https://technet.microsoft.com/en-us/library/cc978267.aspx
>> <https://technet.microsoft.com/en-us/library/cc978267.aspx>
>> https://technet.microsoft.com/en-us/library/cc772592
>> <https://technet.microsoft.com/en-us/library/cc772592>
>>
>> But this should not be needed, and i dont advice it to set it.
>> If you setup is correct, you should be able to login even when you turn off 2 out of 3 DC.s
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> Await some guidance.
>>>
>>> --
>>>
>>> Thanks & Regards,
>>>
>>>
>>> Anantha Raghava
>>>
>>>
>>>
>>> DISCLAIMER:
>>> This e-mail communication and any attachments may be privileged and
>>> confidential to eXza Technology Consulting & Services, and
>>> are intended
>>> only for the use of the recipients named above If you are not the
>>> addressee you may not copy, forward, disclose or use any part
>>> of it. If
>>> you have received this message in error, please delete it and
>>> all copies
>>> from your system and notify the sender immediately by return e-mail.
>>> Internet communications cannot be guaranteed to be timely,
>>> secure, error
>>> or virus-free. The sender does not accept liability for any errors or
>>> omissions.
>>>
>>>
>>> Do not print this e-mail unless required. Save Paper & trees.
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:https://lists.samba.org/mailman/options/samba
>>> <https://lists.samba.org/mailman/options/samba>
>>>
>>>
More information about the samba
mailing list