[Samba] GPO issues - getting SYSVOL cleaned up again
Stefan G. Weichinger
lists at xunil.at
Wed Jul 31 15:50:37 UTC 2019
Am 31.07.19 um 17:33 schrieb L.P.H. van Belle via samba:
> Hai,
>
> And thanks for the other check i needed to know if the A record did exist.
>
>>> ldap1 CNAME pre01svdeb02
>>> ldap2 CNAME pre01svdeb03
>> sorry, typo -------------^
> Yes i was expecting that. ;-)
>
> What i see, all SOA record and serialnr are same where is should be so thats ok.
> What i noticed is this part.
>
> dig a dc.pilsbacher.at @192.168.16.205/206 replies.
>
> DNS1 ( DC1 /pre01svdeb02 (old DC) ) : A 192.168.16.205 dc.pilsbacher.at <<< OLD NAME REPLY.
> DNS2 ( DC2 /pre01svdeb03 ) : A 192.168.16.206 pre01svdeb03.pilsbacher.at
>
> Both DNS replies the same on lookup A dc.pilsbacher.at to 192.168.16.205
> But your PTR Lookup, replies different.
>
> dig -x 192.168.16.205 @192.168.16.205
> 205.16.168.192.in-addr.arpa. 900 IN PTR PRE01SVDEB02.pilsbacher.at. <<< NEW NAME REPLY.
>
> dig -x 192.168.16.205 @192.168.16.206
> 205.16.168.192.in-addr.arpa. 900 IN PTR PRE01SVDEB02.pilsbacher.at. <<< NEW NAME REPLY.
>
> And the problem your hitting is as far i can see from a buggy samba version in the past.
> How i see that. PRE01SVDEB02 and pre01svdeb03 The CAPS and non-caps.
> And now im getting flashbacks..
>
> Ive been here before, when i accedently added a new ad with an existing name or IP.
> :-// 3-4 years ago..
> Now this is One for in the evening.. (sorry), but that is the best way to fix it.
>
> Which is the DC with FSMO roles, if its DC1 then move them to pre01svdeb03.pilsbacher.at
> Remove/purge this DC and join clean again. ( no need to reinstall os etc. just samba )
>
> DC1
> systemctl stop samba-ad-dc
> Backup/remove the files from /var/lib/samba /var/cache/samba and its subfolders!
> And /etc/samba/smb.conf
>
> -- and stop ...
> Now, go cleanup with the windows DNS tool. ( connect to DC2 )
> Verify ALL zones and especially : _msdcs.pilsbacher.at.
> Remove the faulty GUID and ip/servernames from every thing sub folder etc there.
>
> Remove the A record to DC.
> Remove the PTR record to PRE01SVDEB02
> Remove everything related to DC PRE01SVDEB02 and 192.168.16.205
>
> Done, then verify it again, make very sure all records are gone.
>
> I suggest to verify /etc/hosts /etc/resolv.conf also but these should be fine.
> Point you first DNS entry in /etc/resolv.conf to the other DC 192.168.16.206 (pre01svdeb03.pilsbacher.at)
>
> kinit Administrator
> And join the domain again.
> ! DONT start samba yet.
>
> Stop samba on DC2, copy idmap file to DC1
>
> Now start samba on DC1
> And sync sysvol again.
> And set/verify the rights from windows again on sysvol/netlogon.
>
> And now everything is fixed and correct.
>
> I spent a long time before i did above, and same as you, a few part kept coming back wrong.
>
> This is in the end the best i can think/recall in fixing it.
>
> I wish i had better news, but in the end, you will have a good working setup.
ok, thank you very much so far.
I read this 2 times for a first overview and will decide if I continue
to work on this now in the evening (very likely! I just have to take
some short break before)
Sure, the FSMO role is on the problematic first DC.
I will rethink all this and maybe start in the next hour or so.
once more: thank you for all the help (so far ;-) more needed afaik)
More information about the samba
mailing list