[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
me at tdiehl.org
me at tdiehl.org
Tue Feb 2 03:54:58 UTC 2021
On Mon, 1 Feb 2021, Rowland penny via samba wrote:
> On 01/02/2021 15:41, me at tdiehl.org wrote:
>> On Fri, 29 Jan 2021, Rowland penny via samba wrote:
>>
>>> On 29/01/2021 15:36, Marco Shmerykowsky via samba wrote:
>>>>
>>>> On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote:
>>>>> 2) samba-tool sysvol reset on dc with FSMO. (dc1)
>>>>
>>>> On the SambaWiki for Sysvolreset it states:
>>>>
>>>> Advice via mailing list (as of May 2018)
>>>>
>>>> (courtesy of Rowland Penny)
>>>>
>>>> If you have added any custom GPOs, never ever use
>>>> sysvolcheck or sysvolreset
>>>>
>>>> I have GPO's for drive mapping and screen background.
>>>> I'd assume they qualify as "custom"
>>>>
>>>> Should I ir shouldn't I run 'samba-tool ntacl sysvolreset'?
>>>>
>>> OK, I have updated that wikipage, it now says:
>>>
>>> If you have added any custom GPOs and given Domain Admins a gidNumber
>>> attribute, never ever use sysvolcheck or sysvolreset, this because this
>>> turns the windows group into a Unix group.
>>> ''(You are now probably thinking 'what?', a group is just a group, right
>>> ? Well, no, a Windows group can do something that no Unix group can, it
>>> can own files and directories and guess what needs to own files and
>>> directories in sysvol ??)''
>>>
>>>
>>> If you have added any GPO's and haven't given Domain Admins a gidNumber
>>> attribute, then you can run sysvolreset.
>>
>> What about the case where you have custom GPO's but have NOT given Domain
>> Admins
>> a gidNumber? For instance after you join a new DC to the domain.
>>
>> Regards,
>>
>
> I don't really understand that, if you join a new DC to a domain where Domain
> Admins has a gidNumber, then Domain Admins on the new DC will have a
> gidNumber, but if Domain Admins doesn't have a gidNumber in the domain, then
> Domain Admins will not have a gidNumber on the new DC.
OK, sorry for not being clear. Let me rephrase the question, If I have not given
Domain Admins a gidNumber but I have custom GPO's should I run sysvolreset after
joining a new DC to the domain and setting up osync or whatever to sync the
sysvols?
Based on what you wrote above, it appears to me that I should run sysvolreset in
my case but I want to be sure I am understanding correctly.
Regards,
--
Tom me at tdiehl.org
More information about the samba
mailing list