[Samba] GPO issues - getting SYSVOL cleaned up again

L.P.H. van Belle belle at bazuin.nl
Wed Jul 31 15:33:32 UTC 2019


Hai, 

And thanks for the other check i needed to know if the A record did exist. 

>> ldap1 CNAME pre01svdeb02
>> ldap2 CNAME pre01svdeb03
>sorry, typo -------------^
Yes i was expecting that. ;-) 

What i see, all SOA record and serialnr are same where is should be so thats ok. 
What i noticed is this part. 

dig a dc.pilsbacher.at @192.168.16.205/206 replies. 

DNS1 ( DC1 /pre01svdeb02 (old DC) )	:	A 192.168.16.205 dc.pilsbacher.at	<<< OLD NAME REPLY. 
DNS2 ( DC2 /pre01svdeb03 )		:	A 192.168.16.206 pre01svdeb03.pilsbacher.at

Both DNS replies the same on lookup A dc.pilsbacher.at to 192.168.16.205
But your PTR Lookup, replies different. 

dig -x 192.168.16.205 @192.168.16.205
205.16.168.192.in-addr.arpa. 900 IN	PTR	PRE01SVDEB02.pilsbacher.at.		<<< NEW NAME REPLY.

dig -x 192.168.16.205 @192.168.16.206
205.16.168.192.in-addr.arpa. 900 IN	PTR	PRE01SVDEB02.pilsbacher.at.		<<< NEW NAME REPLY.

And the problem your hitting is as far i can see from a buggy samba version in the past. 
How i see that. PRE01SVDEB02 and pre01svdeb03  The CAPS and non-caps. 
And now im getting flashbacks.. 

Ive been here before, when i accedently added a new ad with an existing name or IP. 
:-// 3-4 years ago..  
Now this is One for in the evening.. (sorry), but that is the best way to fix it.

Which is the DC with FSMO roles, if its DC1 then move them to pre01svdeb03.pilsbacher.at 
Remove/purge this DC and join clean again. ( no need to reinstall os etc. just samba )

DC1 
systemctl stop samba-ad-dc 
Backup/remove the files from /var/lib/samba /var/cache/samba and its subfolders! 
And /etc/samba/smb.conf

-- and stop ... 
Now, go cleanup with the windows DNS tool. ( connect to DC2 ) 
Verify ALL zones and especially : _msdcs.pilsbacher.at.  
Remove the faulty GUID and ip/servernames from every thing sub folder etc there. 

Remove the A record to DC. 
Remove the PTR record to PRE01SVDEB02
Remove everything related to DC PRE01SVDEB02 and 192.168.16.205

Done, then verify it again, make very sure all records are gone.

I suggest to verify /etc/hosts /etc/resolv.conf also but these should be fine.
Point you first DNS entry in /etc/resolv.conf to the other DC 192.168.16.206  (pre01svdeb03.pilsbacher.at) 

kinit Administrator
And join the domain again. 
! DONT start samba yet. 

Stop samba on DC2, copy idmap file to DC1 

Now start samba on DC1 
And sync sysvol again. 
And set/verify the rights from windows again on sysvol/netlogon. 

And now everything is fixed and correct.

I spent a long time before i did above, and same as you, a few part kept coming back wrong. 

This is in the end the best i can think/recall in fixing it. 

I wish i had better news, but in the end, you will have a good working setup. 


Greetz, 

Louis







More information about the samba mailing list