[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
Marco Shmerykowsky
marco at sce-engineers.com
Fri Jan 29 19:46:00 UTC 2021
On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote:
> Run this one on the DC with FSMO roles.
>
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
>
> By default it does not apply the rights yet!
>
> So i would do the following in this case.
>
> 1) run the script on both servers and compair it. (dc1)
> 2) samba-tool sysvol reset on dc with FSMO. (dc1)
> 3) rerun the script and apply the right. (dc1)
> 4) stop samba on the first DC, get the IDMAP.LDB and copy it to DC2
> 5) start samba DC1.
> 6) stop samba on DC2, now copy idmap.ldb to the correct location.
> 7) start samba on DC2
> 8) sync sysvol DC1 to DC2
> 9) run : dig ns $(hostname -d)
> And verify if BOTH the DC's there NS records are there.
>
> Reboot DC1, wait for it to be up again.
> Reboot DC2, wait for it to be up again.
>
> Run the script again ( on both server ) and verify it.
>
> last, now goto GPO Editor, and klik a few policies.
> if one needs correction, it will complain about incorrect rights, klik on the message. And its done.
>
> Still not working.
> run getfacl on both servers and compair that.
>
> Still not working..
> run this one on both servers and post the output so we can compair both servers.
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
I've been looping thru the issue and think It's some sort of DNS issue.
The machines are running NetworkManager (even though the wiki says don't
likely for this very reason), but I finally have dig ns $(hostname -d)
returning the same results on both servers.
When the user logs in on his local machine, the user seems to
get wonky ping results:
ping www.google.com -> Returns a reply
ping ad-domain.company.com -> Returns a reply
ping server.ad-domain.company.com -> no reply
ping server -> No reply
It seems the GPO's are not applying on his machine due to a DNS
error, but I can't reproduce it on my end.
More information about the samba
mailing list