Marco Shmerykowsky
2021-Jan-28 20:42 UTC
[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
On 1/28/2021 2:02 PM, Rowland penny via samba wrote:> On 28/01/2021 18:54, Marco Shmerykowsky via samba wrote: >> >> >> Just to add to this: >> >> If I run 'samba-tool ntacl sysvolcheck' on either server I get the >> following: > > I know you are syncing sysvol between the two DC's, but are you also > syncing idmap.ldb from the first DC to the second ? > > If you aren't, then you will probably have different xidNumbers on each DC. > > RowlandI did the sync once when I setup the server. The docs on the wiki seem to imply this is a one time step and not something that needs to be done continuously. I did find a configuration error on the new DC that may have effected the was DNS was working, however after correcting that the user still is reporting that after logon, the GPO's are not being applied. I can not replicate the problem on my end. The results of the drive map according to gpresult from the user's computer produce (Error Code: 0x80070035).
Rowland penny
2021-Jan-28 20:57 UTC
[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
On 28/01/2021 20:42, Marco Shmerykowsky via samba wrote:> > On 1/28/2021 2:02 PM, Rowland penny via samba wrote: >> On 28/01/2021 18:54, Marco Shmerykowsky via samba wrote: >>> >>> >>> Just to add to this: >>> >>> If I run 'samba-tool ntacl sysvolcheck' on either server I get the >>> following: >> >> I know you are syncing sysvol between the two DC's, but are you also >> syncing idmap.ldb from the first DC to the second ? >> >> If you aren't, then you will probably have different xidNumbers on >> each DC. >> >> Rowland > > I did the sync once when I setup the server.? The docs on the > wiki seem to imply this is a one time step and not something > that needs to be done continuously. > > I did find a configuration error on the new DC that may > have effected the was DNS was working, however after > correcting that the user still is reporting that after > logon, the GPO's are not being applied. > > I can not replicate the problem on my end. > > The results of the drive map according to gpresult > from the user's computer produce (Error Code: 0x80070035). >I believe that error code means? that the directory cannot be found, though it could be a permissions problem. It could be something as simple as giving Domain Admins a gidNumber attribute. idmap.ldb works by giving domain users & groups an xidNumber attribute (not to be confused with uidNumber & gidNumber attributes), these are allocated on a first come basis, so you may have to sync idmap.ldb a few times to ensure they match, without doing this, the wrong user or group may be used. Windows has the concept of groups owning files & folders, on Unix a group cannot own anything, so, in idmap.ldb, you find groups marked as 'ID_TYPE_BOTH'. If you give such a group a gidNumber, it becomes just a group and cannot own anything, Domain Admins is such a group. Rowland