[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
me at tdiehl.org
me at tdiehl.org
Mon Feb 1 15:41:46 UTC 2021
On Fri, 29 Jan 2021, Rowland penny via samba wrote:
> On 29/01/2021 15:36, Marco Shmerykowsky via samba wrote:
>>
>> On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote:
>>> 2) samba-tool sysvol reset on dc with FSMO. (dc1)
>>
>> On the SambaWiki for Sysvolreset it states:
>>
>> Advice via mailing list (as of May 2018)
>>
>> (courtesy of Rowland Penny)
>>
>> If you have added any custom GPOs, never ever use
>> sysvolcheck or sysvolreset
>>
>> I have GPO's for drive mapping and screen background.
>> I'd assume they qualify as "custom"
>>
>> Should I ir shouldn't I run 'samba-tool ntacl sysvolreset'?
>>
> OK, I have updated that wikipage, it now says:
>
> If you have added any custom GPOs and given Domain Admins a gidNumber
> attribute, never ever use sysvolcheck or sysvolreset, this because this turns
> the windows group into a Unix group.
> ''(You are now probably thinking 'what?', a group is just a group, right ?
> Well, no, a Windows group can do something that no Unix group can, it can own
> files and directories and guess what needs to own files and directories in
> sysvol ??)''
>
>
> If you have added any GPO's and haven't given Domain Admins a gidNumber
> attribute, then you can run sysvolreset.
What about the case where you have custom GPO's but have NOT given Domain Admins
a gidNumber? For instance after you join a new DC to the domain.
Regards,
--
Tom me at tdiehl.org
More information about the samba
mailing list