[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
Rowland penny
rpenny at samba.org
Tue Feb 2 08:40:07 UTC 2021
On 02/02/2021 03:54, me at tdiehl.org wrote:
> On Mon, 1 Feb 2021, Rowland penny via samba wrote:
>
>> On 01/02/2021 15:41, me at tdiehl.org wrote:
>>> On Fri, 29 Jan 2021, Rowland penny via samba wrote:
>>>
>>>> On 29/01/2021 15:36, Marco Shmerykowsky via samba wrote:
>>>>>
>>>>> On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote:
>>>>>> 2) samba-tool sysvol reset on dc with FSMO. (dc1)
>>>>>
>>>>> On the SambaWiki for Sysvolreset it states:
>>>>>
>>>>> Advice via mailing list (as of May 2018)
>>>>>
>>>>> (courtesy of Rowland Penny)
>>>>>
>>>>> If you have added any custom GPOs, never ever use
>>>>> sysvolcheck or sysvolreset
>>>>>
>>>>> I have GPO's for drive mapping and screen background.
>>>>> I'd assume they qualify as "custom"
>>>>>
>>>>> Should I ir shouldn't I run 'samba-tool ntacl sysvolreset'?
>>>>>
>>>> OK, I have updated that wikipage, it now says:
>>>>
>>>> If you have added any custom GPOs and given Domain Admins a gidNumber
>>>> attribute, never ever use sysvolcheck or sysvolreset, this because
>>>> this
>>>> turns the windows group into a Unix group.
>>>> ''(You are now probably thinking 'what?', a group is just a group,
>>>> right
>>>> ? Well, no, a Windows group can do something that no Unix group
>>>> can, it
>>>> can own files and directories and guess what needs to own files and
>>>> directories in sysvol ??)''
>>>>
>>>>
>>>> If you have added any GPO's and haven't given Domain Admins a
>>>> gidNumber
>>>> attribute, then you can run sysvolreset.
>>>
>>> What about the case where you have custom GPO's but have NOT given
>>> Domain
>>> Admins
>>> a gidNumber? For instance after you join a new DC to the domain.
>>>
>>> Regards,
>>>
>>
>> I don't really understand that, if you join a new DC to a domain
>> where Domain Admins has a gidNumber, then Domain Admins on the new DC
>> will have a gidNumber, but if Domain Admins doesn't have a gidNumber
>> in the domain, then Domain Admins will not have a gidNumber on the
>> new DC.
>
> OK, sorry for not being clear. Let me rephrase the question, If I have
> not given
> Domain Admins a gidNumber but I have custom GPO's should I run
> sysvolreset after
> joining a new DC to the domain and setting up osync or whatever to
> sync the
> sysvols?
>
> Based on what you wrote above, it appears to me that I should run
> sysvolreset in
> my case but I want to be sure I am understanding correctly.
>
> Regards,
>
Yes 😁
Rowland
More information about the samba
mailing list