[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
rpenny at samba.org
Mon Feb 1 15:54:21 UTC 2021
On 01/02/2021 15:41, me at tdiehl.org wrote:
> On Fri, 29 Jan 2021, Rowland penny via samba wrote:
>> On 29/01/2021 15:36, Marco Shmerykowsky via samba wrote:
>>> On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote:
>>>> 2) samba-tool sysvol reset on dc with FSMO. (dc1)
>>> On the SambaWiki for Sysvolreset it states:
>>> Advice via mailing list (as of May 2018)
>>> (courtesy of Rowland Penny)
>>> If you have added any custom GPOs, never ever use
>>> sysvolcheck or sysvolreset
>>> I have GPO's for drive mapping and screen background.
>>> I'd assume they qualify as "custom"
>>> Should I ir shouldn't I run 'samba-tool ntacl sysvolreset'?
>> OK, I have updated that wikipage, it now says:
>> If you have added any custom GPOs and given Domain Admins a gidNumber
>> attribute, never ever use sysvolcheck or sysvolreset, this because
>> this turns the windows group into a Unix group.
>> ''(You are now probably thinking 'what?', a group is just a group,
>> right ? Well, no, a Windows group can do something that no Unix group
>> can, it can own files and directories and guess what needs to own
>> files and directories in sysvol ??)''
>> If you have added any GPO's and haven't given Domain Admins a
>> gidNumber attribute, then you can run sysvolreset.
> What about the case where you have custom GPO's but have NOT given
> Domain Admins
> a gidNumber? For instance after you join a new DC to the domain.
I don't really understand that, if you join a new DC to a domain where
Domain Admins has a gidNumber, then Domain Admins on the new DC will
have a gidNumber, but if Domain Admins doesn't have a gidNumber in the
domain, then Domain Admins will not have a gidNumber on the new DC.
More information about the samba