[Samba] GPO issues - getting SYSVOL cleaned up again

L.P.H. van Belle belle at bazuin.nl
Wed Jul 31 15:33:32 UTC 2019


And thanks for the other check i needed to know if the A record did exist. 

>> ldap1 CNAME pre01svdeb02
>> ldap2 CNAME pre01svdeb03
>sorry, typo -------------^
Yes i was expecting that. ;-) 

What i see, all SOA record and serialnr are same where is should be so thats ok. 
What i noticed is this part. 

dig a dc.pilsbacher.at @ replies. 

DNS1 ( DC1 /pre01svdeb02 (old DC) )	:	A dc.pilsbacher.at	<<< OLD NAME REPLY. 
DNS2 ( DC2 /pre01svdeb03 )		:	A pre01svdeb03.pilsbacher.at

Both DNS replies the same on lookup A dc.pilsbacher.at to
But your PTR Lookup, replies different. 

dig -x @ 900 IN	PTR	PRE01SVDEB02.pilsbacher.at.		<<< NEW NAME REPLY.

dig -x @ 900 IN	PTR	PRE01SVDEB02.pilsbacher.at.		<<< NEW NAME REPLY.

And the problem your hitting is as far i can see from a buggy samba version in the past. 
How i see that. PRE01SVDEB02 and pre01svdeb03  The CAPS and non-caps. 
And now im getting flashbacks.. 

Ive been here before, when i accedently added a new ad with an existing name or IP. 
:-// 3-4 years ago..  
Now this is One for in the evening.. (sorry), but that is the best way to fix it.

Which is the DC with FSMO roles, if its DC1 then move them to pre01svdeb03.pilsbacher.at 
Remove/purge this DC and join clean again. ( no need to reinstall os etc. just samba )

systemctl stop samba-ad-dc 
Backup/remove the files from /var/lib/samba /var/cache/samba and its subfolders! 
And /etc/samba/smb.conf

-- and stop ... 
Now, go cleanup with the windows DNS tool. ( connect to DC2 ) 
Verify ALL zones and especially : _msdcs.pilsbacher.at.  
Remove the faulty GUID and ip/servernames from every thing sub folder etc there. 

Remove the A record to DC. 
Remove the PTR record to PRE01SVDEB02
Remove everything related to DC PRE01SVDEB02 and

Done, then verify it again, make very sure all records are gone.

I suggest to verify /etc/hosts /etc/resolv.conf also but these should be fine.
Point you first DNS entry in /etc/resolv.conf to the other DC  (pre01svdeb03.pilsbacher.at) 

kinit Administrator
And join the domain again. 
! DONT start samba yet. 

Stop samba on DC2, copy idmap file to DC1 

Now start samba on DC1 
And sync sysvol again. 
And set/verify the rights from windows again on sysvol/netlogon. 

And now everything is fixed and correct.

I spent a long time before i did above, and same as you, a few part kept coming back wrong. 

This is in the end the best i can think/recall in fixing it. 

I wish i had better news, but in the end, you will have a good working setup. 



More information about the samba mailing list