[Samba] GPO issues - getting SYSVOL cleaned up again

L.P.H. van Belle belle at bazuin.nl
Thu Aug 1 11:15:13 UTC 2019 

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: donderdag 1 augustus 2019 12:30
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] GPO issues - getting SYSVOL cleaned up again
> 
> Am 01.08.19 um 09:13 schrieb L.P.H. van Belle via samba:
> > Good morning Stefan. 
> > 
> > Your welkom. I see everything worked out now. Great !! 
> > Well done, you made it happen.  :-) 
> 
> thanks a lot.
> The issues there were there for months at least ... glad with 
> the progress.
> 
> Not fully done, see below ...
> 
> > What i suggest now, at least these are the steps i always 
> do to make sure the DC's are having a exact same setup. 
> > First, i clear all my logs and reboot one server. 
> > Wait 15-30 min, then go through all you logs, fix every 
> warning/error. 
> > Make it perfect. 
> > Reboot again, repeat this untill its 100% correct booting. 
> 
> It ain't perfect yet, but I assume this is related to the computer
> accounts and might be solved be rejoining these machines.
> 
> I see stuff like:
> 
> Aug 01 10:04:38 pre01svdeb02 samba[17958]: 
> task[dcesrv][17958]:   Failed
> to modify SPNs on
> CN=ROHRHOFER-PC,OU=Pilsbacher-Computer,DC=pilsbacher,DC=at: acl: spn
> validation failed for spn[TERMSRV/ROHRHOFER-PC.mydomain.at] 
> uac[0x1000]
> account[ROHRHOFER-PC$] hostname[ROHRHOFER-PC.BUERO] nbname[BUERO]
> ntds[(null)] forest[mydomain.at] domain[mydomain.at]
> 
In this case, you can check for the rights on that pc object. 
Verify A ( and optional PTR ) 
It is know that in a few cases we are missing SPN's. 

Are you pc's updating there own A records or is this done by dhcp server.
( or both ) 

And/or You might have 2 pc's with the same pcname. 

Best option in my opinion, remove this pc from the domain, rename the pc. 
Reboot, run sysprep and re-join. 


> 
> 
> > I suggest one more thing and that is, you check the following. 
> > Check if you zones have both the NS records. 
> > Startup the DNS tool. 
> > 
> > Goto you primary dnszone ( and repeat for all other zones ) 
> > Do you see all your DC's as NS record in the zone, then its 
> ok, if not.. 
> 
> That's OK
> 
> What I don't like:
> 
> in the reverse lookup zone there is one A-record ... for the pre01svdeb03 Name
> 
> I think there should be no A-record in the rev-lookup-zone ... and if yes, there should be 2 then, one for each DC, right?
> 
> So I think that record should be removed, OK?

No, you should add the other DC also. 
Source: https://simpledns.com/help/ns-records , line 1 and 2. 

Greetz, 

Louis

More information about the samba mailing list