[Samba] Administrator lost write privileges to sysvol (Can't add/edit anything using RSAT Tools)

[Darren Conte]

Rowland, thanks for the replies.

>How was the domain configured in the first place ?

samba-tool domain provision --realm=SAMDOM.COM --domain=SAMDOM
--adminpass="SOME_PASSWD" --server-role=dc –-dns-backend=SAMBA_INTERNAL

>If it wasn't provisioned to use rfc2307 attributes, you possibly do not
have the ypServ30.ldif installed, do the other DCs have the
'idmap_ldb:use rfc2307 = yes' line ?

No, none of the other sites that I administer have the 'idmap_ldb:use rfc
2307 = yes' line, either.

>Is there a simple way to restore the database files without bringing down
> the site for an extended period of time doing an entire restore? It's a
> very busy office with users in many global locations.   I say that because
> since I do not have WRITE access to anything, nothing has change>d.
>
>Is it just one DC, then demote and remove that DC.

Yes, there is one only DC at this location with 5 Win10Pro PCs.

>Try comparing all your DCs, is there anything on the other DCs (Samba
wise) that isn't on the others ?

I have compared each site and I do not see any material differences with
the exception of number of client workstations. syvol permissions are
identitical (it seems), as stated in my original post (both getfacl and
--as-sddl).  Each site has one production DC, which is also used as a file
server. 5-18 Win10 Pro clients joined to the domain. No linux clients, no
'idmap_ldb:use rfc 2307 = yes' line used.

>Rowland

Your help with the exact add, demote and removal steps would be
appreciated.  Its a live production site so I'm worried that I do not fully
understand how I can demote and remove the only DC and still connect using
RSAT. Could you give more detail on step-by-steps you recommend?  I read
the wiki but when I read: "You should never use the 'samba-tool domain
backup/restore' commands to recover an individual DC.", I'm confused why.
What am I missing?

Darren