[Samba] GPO issues - getting SYSVOL cleaned up again

Stefan G. Weichinger lists at xunil.at
Wed Jul 31 15:50:37 UTC 2019 

Am 31.07.19 um 17:33 schrieb L.P.H. van Belle via samba:
> Hai, 
> 
> And thanks for the other check i needed to know if the A record did exist. 
> 
>>> ldap1 CNAME pre01svdeb02
>>> ldap2 CNAME pre01svdeb03
>> sorry, typo -------------^
> Yes i was expecting that. ;-) 
> 
> What i see, all SOA record and serialnr are same where is should be so thats ok. 
> What i noticed is this part. 
> 
> dig a dc.pilsbacher.at @192.168.16.205/206 replies. 
> 
> DNS1 ( DC1 /pre01svdeb02 (old DC) )	:	A 192.168.16.205 dc.pilsbacher.at	<<< OLD NAME REPLY. 
> DNS2 ( DC2 /pre01svdeb03 )		:	A 192.168.16.206 pre01svdeb03.pilsbacher.at
> 
> Both DNS replies the same on lookup A dc.pilsbacher.at to 192.168.16.205
> But your PTR Lookup, replies different. 
> 
> dig -x 192.168.16.205 @192.168.16.205
> 205.16.168.192.in-addr.arpa. 900 IN	PTR	PRE01SVDEB02.pilsbacher.at.		<<< NEW NAME REPLY.
> 
> dig -x 192.168.16.205 @192.168.16.206
> 205.16.168.192.in-addr.arpa. 900 IN	PTR	PRE01SVDEB02.pilsbacher.at.		<<< NEW NAME REPLY.
> 
> And the problem your hitting is as far i can see from a buggy samba version in the past. 
> How i see that. PRE01SVDEB02 and pre01svdeb03  The CAPS and non-caps. 
> And now im getting flashbacks.. 
> 
> Ive been here before, when i accedently added a new ad with an existing name or IP. 
> :-// 3-4 years ago..  
> Now this is One for in the evening.. (sorry), but that is the best way to fix it.
> 
> Which is the DC with FSMO roles, if its DC1 then move them to pre01svdeb03.pilsbacher.at 
> Remove/purge this DC and join clean again. ( no need to reinstall os etc. just samba )
> 
> DC1 
> systemctl stop samba-ad-dc 
> Backup/remove the files from /var/lib/samba /var/cache/samba and its subfolders! 
> And /etc/samba/smb.conf
> 
> -- and stop ... 
> Now, go cleanup with the windows DNS tool. ( connect to DC2 ) 
> Verify ALL zones and especially : _msdcs.pilsbacher.at.  
> Remove the faulty GUID and ip/servernames from every thing sub folder etc there. 
> 
> Remove the A record to DC. 
> Remove the PTR record to PRE01SVDEB02
> Remove everything related to DC PRE01SVDEB02 and 192.168.16.205
> 
> Done, then verify it again, make very sure all records are gone.
> 
> I suggest to verify /etc/hosts /etc/resolv.conf also but these should be fine.
> Point you first DNS entry in /etc/resolv.conf to the other DC 192.168.16.206  (pre01svdeb03.pilsbacher.at) 
> 
> kinit Administrator
> And join the domain again. 
> ! DONT start samba yet. 
> 
> Stop samba on DC2, copy idmap file to DC1 
> 
> Now start samba on DC1 
> And sync sysvol again. 
> And set/verify the rights from windows again on sysvol/netlogon. 
> 
> And now everything is fixed and correct.
> 
> I spent a long time before i did above, and same as you, a few part kept coming back wrong. 
> 
> This is in the end the best i can think/recall in fixing it. 
> 
> I wish i had better news, but in the end, you will have a good working setup. 

ok, thank you very much so far.

I read this 2 times for a first overview and will decide if I continue
to work on this now in the evening (very likely! I just have to take
some short break before)

Sure, the FSMO role is on the problematic first DC.

I will rethink all this and maybe start in the next hour or so.

once more: thank you for all the help (so far ;-) more needed afaik)

More information about the samba mailing list