On 2/9/22 14:32, Matthias Leopold via samba wrote:> Hi,
>
> is there a way to determine from which DC a GPO is applied in Windows
> when running "gpupdate" or from the automatic(?) updates?
> For reasons I don't understand GPO updates on my Windows 2019 members
> only work from the PDC Emulator DC. On the other DC I get errors about
> "Permission denied" (although sysvol permissions are the same in
both
> DCs and "samba-tool ntacl sysvolcheck" is happy). "Group
Policy
> Management" in Windows points to the PDC Emulator DC, but the updates
> seem to randomly choose a DC (which is annoying when updates only work
> from one DC).
>
> thx for advice
> Matthias
The GPO client will try to read GPO from domain.local\sysvol\Policies.
In DNS, your A record for domain.local will probably resolve to every
DC, son the DNS client will use one of them randomly. Use the client
host file to fix the IP to resolve to when using the name domain.local.
You have to fix those "permission denied" errors.
Meanwhile, change your DNS and leave just domain.local A record pointing
to the working DC. You will have to flush DNS client cache too.
How are you testing access to sysvol on every DC?
Regards.