[Samba] Problems in applying GPO and DNS domain name resolution issues
L.P.H. van Belle
belle at bazuin.nl
Wed May 24 07:29:11 UTC 2017
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Anantha Raghava via samba
> Verzonden: woensdag 24 mei 2017 5:39
> Aan: samba at lists.samba.org
> CC: ravi.bhat at ardos.in
> Onderwerp: [Samba] Problems in applying GPO and DNS domain
> name resolution issues
>
> Hi,
>
> We are using Samba AD 4.6.3 and built it from source on
> CentOS 7. The DNS back end is BIND 9.9.4
.....
>
> Thinking that ACLs on "Sysvol" are incorrect, we reset the
> SYSVOL using "samba-tool ntacl sysvolrest" command. The
> problems are persisting. Many client workstations, do not get
> the policies.
Add user system to sysvol, and dont run samba-tool ntacl sysvolreset again.
Your GPOs should work fine, if not post the windows event id.
>
> Another observation:
>
> The DNS,when queried for domain name throws up the domain
> controller address randomly. That is we have 3 Domain
> controllers and two of them are turned off for confirming
> whether there is any network issues. DNS randomly throws up
> the domain controller details that are turned off and the
> client workstation reports, cannot find the domain controller.
Now thats something ive seen also.
I see for example, my SOA record is set to DC2. i can change that to DC1 up the serial number.
Wait five min, check again, SOA back to DC2. Why cant explain it.
I ignore it, everything works fine here.
For you, check in the DNS, with RSAT, in _msdcs.your.domain.tld.
Are all the Aliase (CNAME) dc's there in GUID.
And do you see all host A record for the DC's there?
>
> Now our questions are:
>
> a. Why the policy deployment is erratic?
It not, its just a bug in the samba-tool script, it expects certain rights.
Windows sets other rights.
>
> b. Is there a manner in which we can set the Domain
> Controller priorities in DNS?
Yes you can. More info about that in :
https://technet.microsoft.com/en-us/library/cc978267.aspx
https://technet.microsoft.com/en-us/library/cc772592
But this should not be needed, and i dont advice it to set it.
If you setup is correct, you should be able to login even when you turn off 2 out of 3 DC.s
Greetz,
Louis
>
> Await some guidance.
>
> --
>
> Thanks & Regards,
>
>
> Anantha Raghava
>
>
>
> DISCLAIMER:
> This e-mail communication and any attachments may be privileged and
> confidential to eXza Technology Consulting & Services, and
> are intended
> only for the use of the recipients named above If you are not the
> addressee you may not copy, forward, disclose or use any part
> of it. If
> you have received this message in error, please delete it and
> all copies
> from your system and notify the sender immediately by return e-mail.
> Internet communications cannot be guaranteed to be timely,
> secure, error
> or virus-free. The sender does not accept liability for any errors or
> omissions.
>
>
> Do not print this e-mail unless required. Save Paper & trees.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list