[Samba] Apply GPO in Windows from which DC?

Matthias Leopold matthias.leopold at meduniwien.ac.at
Thu Feb 10 16:30:16 UTC 2022



Am 09.02.22 um 16:32 schrieb Victor Rodriguez via samba:
> 
> On 2/9/22 14:32, Matthias Leopold via samba wrote:
>> Hi,
>>
>> is there a way to determine from which DC a GPO is applied in Windows 
>> when running "gpupdate" or from the automatic(?) updates?
>> For reasons I don't understand GPO updates on my Windows 2019 members 
>> only work from the PDC Emulator DC. On the other DC I get errors about 
>> "Permission denied" (although sysvol permissions are the same in both 
>> DCs and "samba-tool ntacl sysvolcheck" is happy). "Group Policy 
>> Management" in Windows points to the PDC Emulator DC, but the updates 
>> seem to randomly choose a DC (which is annoying when updates only work 
>> from one DC).
>>
>> thx for advice
>> Matthias
> 
> 
> The GPO client will try to read GPO from domain.local\sysvol\Policies. 
> In DNS, your A record for domain.local will probably resolve to every 
> DC, son the DNS client will use one of them randomly. Use the client 
> host file to fix the IP to resolve to when using the name domain.local. 
> You have to fix those "permission denied" errors.
> 
> Meanwhile, change your DNS and leave just domain.local A record pointing 
> to the working DC. You will have to flush DNS client cache too.
> 
> How are you testing access to sysvol on every DC?
> 
> Regards.
> 
> 

My GPO client is connecting to the full domain name for some reason, 
this resolves to both DCs.
I'm not testing access to sysvol on every DC, but I'm watching smbd 
logfiles on both DCs and see when the computer connects for the GPO update.
The "permission denied" errors are a different story again. The UID/GID 
numbers I see in the log line for the connecting computer are completely 
strange. They are from the 3000000 range and when I resolve them with 
wbinfo, they would be user groups(?) or can't be resolved at all. This 
is the same strange behaviour on both DCs, although on one DC access is 
OK, on the other it isn't. File system permissions on sysvol folder are 
OK (when using getfacl) and comparing it to recommendations from 
https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh, 
also when reading them from Windows.

Matthias



More information about the samba mailing list