Hi Louis, See below, C:\>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : EBEN-TEST-PC Primary Dns Suffix . . . . . . . : domain.corp Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.corp Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : domain.corp Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-0C-29-67-2C-53 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.16.210.130(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : 06 April 2016 01:17:33 PM Lease Expires . . . . . . . . . . : 06 April 2016 03:14:04 PM Default Gateway . . . . . . . . . : 172.16.210.2 DHCP Server . . . . . . . . . . . : 172.16.210.254 DNS Servers . . . . . . . . . . . : 10.102.219.51 10.102.219.50 10.132.33.48 10.132.33.2 Primary WINS Server . . . . . . . : 172.16.210.2 NetBIOS over Tcpip. . . . . . . . : Enabled I have already tested disjoin and rejoining the PC, still the same error. I did a clean installation with new hostname as well. Also see below Microsoft analyst report User Logon Info ************ User Name : domain\user User SID : S-1-5-21-801203796-115225906-466470621- 4513 User Object DN : CN=user##SELECTION_END##,OU=Users,DC=domain,DC=corp User Password Last Set : 7/16/2015 3:20:41 PM UserAccountControl Value : {NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD} Logon Authentication Method : Kerberos User Domain : domain.corp Computer Site : Default-First-Site-Name Computer Role : Client Computer Operating System : Windows 7 Computer Domain : domain.corp Domain Controller : {zafprdc001.domain.corp} Global Catalog : {zacprdc001.domain.corp} System Logs: *********** 11/2/2015 10:15:00 AM Warning EBEN-TEST-PC.domain.corp 1014 Microsoft- Windows-DNS-Client N/A NT AUTHORITY\NETWORK SERVICE Name resolution for the name _ldap._tcp.dc._msdcs.domain.corp timed out after none of the configured DNS servers responded. http://social.technet.microsoft.com/wiki/contents/articles/3336.event-i d-1014-microsoft-windows-dns-client.aspx 11/2/2015 10:15:02 AM Error EBEN-TEST-PC.domain.corp 5719 NETLOGON N/A N/A This computer was not able to set up a secure session with a domain controller in domain domain due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain. https://support.microsoft.com/en-us/kb/938449 11/2/2015 10:15:11 AM Error EBEN-TEST-PC.domain.corp 1058 Microsoft- Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM The processing of Group Policy failed. Windows attempted to read the file \\domain.corp\SysVol\domain.corp\Policies\{CCD95983-4A18-4AA7-9466- D95765CC1AD0}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. https://technet.microsoft.com/en-us/library/cc727259(v=ws.10).aspx 11/2/2015 10:15:53 AM Error EBEN-TEST-PC.domain.corp 1110 Microsoft- Windows-GroupPolicy N/A domain\EBEN-TEST-PC The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account. https://technet.microsoft.com/en-us/library/cc727342(v=ws.10).aspx Group policy Logs: ************** 11/2/2015 10:15:11 AM Error EBEN-TEST-PC.domain.corp 7017 Microsoft- Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM The system calls to access specified file completed. \\domain.corp\SysVol\domain.corp\Policies\{CCD95983-4A18-4AA7-9466- D95765CC1AD0}\gpt.ini The call failed after 827 milliseconds. 11/2/2015 10:15:12 AM Error EBEN-TEST-PC.domain.corp 7000 Microsoft- Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM Computer boot policy processing failed for domain\EBEN-TEST-PC$ in 4 seconds. 11/2/2015 10:15:53 AM Error EBEN-TEST-PC.domain.corp 7001 Microsoft- Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM User logon policy processing failed for domain\EBEN-TEST-PC in 0 seconds. 11/2/2015 10:16:25 AM Error EBEN-TEST-PC.domain.corp 7005 Microsoft- Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM Manual processing of policy failed for user domain\EBEN-TEST-PC in 0 seconds. Gpresult: ******* INFO: The user "domain\user" does not have RSOP data. 07/21/2015 02:11:48 AM Error EBEN-TEST-PC.domain 4205 Microsoft-Windows-NlaSvc Gateway Resolution NT AUTHORITY\NETWORK SERVICE Gateway resolution failed on interface {581B9AD1-62E8-4689-9338-E2568B7DD014} for 10.23.199.1 with error: 0x43 07/22/2015 02:10:24 AM Error EBEN-TEST-PC.domain 4343 Microsoft-Windows-NlaSvc Ldap Authenticatio NT AUTHORITY\NETWORK SERVICE LDAP authentication on interface {581B9AD1-62E8-4689-9338-E2568B7DD014} (10.23.199.220) failed with error 0x56 LDAP errors: https://support.microsoft.com/en-us/kb/218185 -----Original Message----- From: barış tombul <bbtombul at gmail.com> To: Eben Victor <eben.victor at vcontractor.co.za> Cc: samba <samba at lists.samba.org> Subject: Re: [Samba] GPO Date: Wed, 6 Apr 2016 14:10:10 +0300 this command >> samba-tool ntacl sysvolreset 2016-04-06 13:34 GMT+03:00 Eben Victor <eben.victor at vcontractor.co.za>:> Hi All, > I create a Samba domain and works it's great, the issue that I have > is with the GPO's.When applying GPO's then only the computer Policy > is applied and not the user GPO. I keep on receiving below error. > Has anybody else perhaps been experiencing the same issues? > > C:\>gpupdate /force > Updating Policy... > > User policy could not be updated successfully. The following errors > were encountered: > > The processing of Group Policy failed. Windows could not determine if > the user and computer accounts are in the same forest. Ensure the > user domain name matches the name of a trusted domain that resides in > the same forest as the computer account. > Computer Policy update has completed successfully. > > To diagnose the failure, review the event log or run GPRESULT /H > GPReport.html from the command line to access information about Group > Policy results.4 > > Kind Regards > “This e-mail is sent on the Terms and Conditions that can be accessed > by Clicking on this link https://webmail.vodacom.co.za/tc/default.htm > l " > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba�This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link https://webmail.vodacom.co.za/tc/default.html "
Hi Louis, I don't have a FW enabled on my PC. I even tried to disable the FW on my all my DC's I can telnet to port 389/636/53, they are all open and goes through to my all DC's. Primary DC # Global parameters [global] workgroup = DOMAIN realm = DOMAIN.CORP netbios name = ##SELECTION_END##ZACPRDC002 server role = active directory domain controller idmap_ldb:use rfc2307 = yes guest account = nobody restrict anonymous = 1 dns forwarder = 10.102.204.200 dns forwarder = 10.102.208.200 log level = 3 [netlogon] path = /var/lib/samba/sysvol/domain.corp/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Second DC # Global parameters [global] workgroup = DOMAIN realm = domain.corp netbios name = ZACPRDC001 server role = active directory domain controller idmap_ldb:use rfc2307 = yes guest account = nobody restrict anonymous = 1 dns forwarder = 10.102.204.200 dns forwarder = 10.102.208.200 log level = 3 [netlogon] path = /var/lib/samba/sysvol/domain.corp/scripts read only = Yes writable = no [sysvol] path = /var/lib/samba/sysvol read only = Yes writable = no I appreciate the assistance, I've started running into walls already. Regards -----Original Message----- From: Eben Victor <eben.victor at vcontractor.co.za> To: samba <samba at lists.samba.org> Subject: Re: [Samba] GPO Date: Thu, 7 Apr 2016 12:15:34 +0200 Mailer: Evolution 3.18.5.2 (3.18.5.2-1.fc23) Hi Louis, See below, C:\>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : EBEN-TEST-PC Primary Dns Suffix . . . . . . . : domain.corp Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.corp Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : domain.corp Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-0C-29-67-2C-53 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.16.210.130(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : 06 April 2016 01:17:33 PM Lease Expires . . . . . . . . . . : 06 April 2016 03:14:04 PM Default Gateway . . . . . . . . . : 172.16.210.2 DHCP Server . . . . . . . . . . . : 172.16.210.254 DNS Servers . . . . . . . . . . . : 10.102.219.51 10.102.219.50 10.132.33.48 10.132.33.2 Primary WINS Server . . . . . . . : 172.16.210.2 NetBIOS over Tcpip. . . . . . . . : Enabled I have already tested disjoin and rejoining the PC, still the same error. I did a clean installation with new hostname as well. Also see below Microsoft analyst report User Logon Info ************ User Name : domain\user User SID : S-1-5-21-801203796-115225906-466470621- 4513 User Object DN : CN=user,OU=Users,DC=domain,DC=corp User Password Last Set : 7/16/2015 3:20:41 PM UserAccountControl Value : {NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD} Logon Authentication Method : Kerberos User Domain : domain.corp Computer Site : Default-First-Site-Name Computer Role : Client Computer Operating System : Windows 7 Computer Domain : domain.corp Domain Controller : {zafprdc001.domain.corp} Global Catalog : {zacprdc001.domain.corp} System Logs: *********** 11/2/2015 10:15:00 AM Warning EBEN-TEST-PC.domain.corp 1014 Microsoft- Windows-DNS-Client N/A NT AUTHORITY\NETWORK SERVICE Name resolution for the name _ldap._tcp.dc._msdcs.domain.corp timed out after none of the configured DNS servers responded. http://social.technet.microsoft.com/wiki/contents/articles/3336.event-i d-1014-microsoft-windows-dns-client.aspx 11/2/2015 10:15:02 AM Error EBEN-TEST-PC.domain.corp 5719 NETLOGON N/A N/A This computer was not able to set up a secure session with a domain controller in domain domain due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain. https://support.microsoft.com/en-us/kb/938449 11/2/2015 10:15:11 AM Error EBEN-TEST-PC.domain.corp 1058 Microsoft- Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM The processing of Group Policy failed. Windows attempted to read the file \\domain.corp\SysVol\domain.corp\Policies\{CCD95983-4A18-4AA7-9466- D95765CC1AD0}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. https://technet.microsoft.com/en-us/library/cc727259(v=ws.10).aspx 11/2/2015 10:15:53 AM Error EBEN-TEST-PC.domain.corp 1110 Microsoft- Windows-GroupPolicy N/A domain\EBEN-TEST-PC The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account. https://technet.microsoft.com/en-us/library/cc727342(v=ws.10).aspx Group policy Logs: ************** 11/2/2015 10:15:11 AM Error EBEN-TEST-PC.domain.corp 7017 Microsoft- Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM The system calls to access specified file completed. \\domain.corp\SysVol\domain.corp\Policies\{CCD95983-4A18-4AA7-9466- D95765CC1AD0}\gpt.ini The call failed after 827 milliseconds. 11/2/2015 10:15:12 AM Error EBEN-TEST-PC.domain.corp 7000 Microsoft- Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM Computer boot policy processing failed for domain\EBEN-TEST-PC$ in 4 seconds. 11/2/2015 10:15:53 AM Error EBEN-TEST-PC.domain.corp 7001 Microsoft- Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM User logon policy processing failed for domain\EBEN-TEST-PC in 0 seconds. 11/2/2015 10:16:25 AM Error EBEN-TEST-PC.domain.corp 7005 Microsoft- Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM Manual processing of policy failed for user domain\EBEN-TEST-PC in 0 seconds. Gpresult: ******* INFO: The user "domain\user" does not have RSOP data. 07/21/2015 02:11:48 AM Error EBEN-TEST-PC.domain 4205 Microsoft-Windows-NlaSvc Gateway Resolution NT AUTHORITY\NETWORK SERVICE Gateway resolution failed on interface {581B9AD1-62E8-4689-9338-E2568B7DD014} for 10.23.199.1 with error: 0x43 07/22/2015 02:10:24 AM Error EBEN-TEST-PC.domain 4343 Microsoft-Windows-NlaSvc Ldap Authenticatio NT AUTHORITY\NETWORK SERVICE LDAP authentication on interface {581B9AD1-62E8-4689-9338-E2568B7DD014} (10.23.199.220) failed with error 0x56 LDAP errors: https://support.microsoft.com/en-us/kb/218185 -----Original Message----- From: barış tombul <bbtombul at gmail.com> To: Eben Victor <eben.victor at vcontractor.co.za> Cc: samba <samba at lists.samba.org> Subject: Re: [Samba] GPO Date: Wed, 6 Apr 2016 14:10:10 +0300 this command >> samba-tool ntacl sysvolreset 2016-04-06 13:34 GMT+03:00 Eben Victor <eben.victor at vcontractor.co.za>:> Hi All, > I create a Samba domain and works it's great, the issue that I have > is with the GPO's.When applying GPO's then only the computer Policy > is applied and not the user GPO. I keep on receiving below error. > Has anybody else perhaps been experiencing the same issues? > > C:\>gpupdate /force > Updating Policy... > > User policy could not be updated successfully. The following errors > were encountered: > > The processing of Group Policy failed. Windows could not determine if > the user and computer accounts are in the same forest. Ensure the > user domain name matches the name of a trusted domain that resides in > the same forest as the computer account. > Computer Policy update has completed successfully. > > To diagnose the failure, review the event log or run GPRESULT /H > GPReport.html from the command line to access information about Group > Policy results.4 > > Kind Regards > “This e-mail is sent on the Terms and Conditions that can be accessed > by Clicking on this link https://webmail.vodacom.co.za/tc/default.htm > l " > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba�This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link https://webmail.vodacom.co.za/tc/default.html "
On 07/04/16 13:34, Eben Victor wrote:> Hi Louis, > I don't have a FW enabled on my PC. > I even tried to disable the FW on my all my DC's > I can telnet to port 389/636/53, they are all open and goes through to > my all DC's. > Primary DC > # Global parameters > [global] > workgroup = DOMAIN > realm = DOMAIN.CORP > netbios name = ##SELECTION_END##ZACPRDC002 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > guest account = nobody > restrict anonymous = 1 > dns forwarder = 10.102.204.200 > dns forwarder = 10.102.208.200 > log level = 3 > [netlogon] > path = /var/lib/samba/sysvol/domain.corp/scripts > read only = No > [sysvol] > path = /var/lib/samba/sysvol > read only = No > Second DC > # Global parameters > [global] > workgroup = DOMAIN > realm = domain.corp > netbios name = ZACPRDC001 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > guest account = nobody > restrict anonymous = 1 > dns forwarder = 10.102.204.200 > dns forwarder = 10.102.208.200 > log level = 3 > [netlogon] > path = /var/lib/samba/sysvol/domain.corp/scripts > read only = Yes > writable = no > [sysvol] > path = /var/lib/samba/sysvol > read only = Yes > writable = no > I appreciate the assistance, I've started running into walls already. > Regards > -----Original Message----- > From: Eben Victor <eben.victor at vcontractor.co.za> > To: samba <samba at lists.samba.org> > Subject: Re: [Samba] GPO > Date: Thu, 7 Apr 2016 12:15:34 +0200 > Mailer: Evolution 3.18.5.2 (3.18.5.2-1.fc23) > Hi Louis, > See below, > C:\>ipconfig /all > Windows IP Configuration > Host Name . . . . . . . . . . . . : EBEN-TEST-PC > Primary Dns Suffix . . . . . . . : domain.corp > Node Type . . . . . . . . . . . . : Hybrid > IP Routing Enabled. . . . . . . . : No > WINS Proxy Enabled. . . . . . . . : No > DNS Suffix Search List. . . . . . : domain.corp > Ethernet adapter Local Area Connection: > Connection-specific DNS Suffix . : domain.corp > Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network > Connection > Physical Address. . . . . . . . . : 00-0C-29-67-2C-53 > DHCP Enabled. . . . . . . . . . . : Yes > Autoconfiguration Enabled . . . . : Yes > IPv4 Address. . . . . . . . . . . : 172.16.210.130(Preferred) > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > Lease Obtained. . . . . . . . . . : 06 April 2016 01:17:33 PM > Lease Expires . . . . . . . . . . : 06 April 2016 03:14:04 PM > Default Gateway . . . . . . . . . : 172.16.210.2 > DHCP Server . . . . . . . . . . . : 172.16.210.254 > DNS Servers . . . . . . . . . . . : 10.102.219.51 > 10.102.219.50 > 10.132.33.48 > 10.132.33.2 > Primary WINS Server . . . . . . . : 172.16.210.2 > NetBIOS over Tcpip. . . . . . . . : Enabled > I have already tested disjoin and rejoining the PC, still the same > error. I did a clean installation with new hostname as well. > Also see below Microsoft analyst report > User Logon Info > ************ > User Name : domain\user > User SID : S-1-5-21-801203796-115225906-466470621- > 4513 > User Object DN : CN=user,OU=Users,DC=domain,DC=corp > User Password Last Set : 7/16/2015 3:20:41 PM > UserAccountControl Value : {NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD} > Logon Authentication Method : Kerberos > User Domain : domain.corp > Computer Site : Default-First-Site-Name > Computer Role : Client > Computer Operating System : Windows 7 > Computer Domain : domain.corp > Domain Controller : {zafprdc001.domain.corp} > Global Catalog : {zacprdc001.domain.corp} > > System Logs: > *********** > 11/2/2015 10:15:00 AM Warning EBEN-TEST-PC.domain.corp 1014 Microsoft- > Windows-DNS-Client N/A NT AUTHORITY\NETWORK SERVICE Name resolution for > the name _ldap._tcp.dc._msdcs.domain.corp timed out after none of the > configured DNS servers responded. > http://social.technet.microsoft.com/wiki/contents/articles/3336.event-i > d-1014-microsoft-windows-dns-client.aspx > > 11/2/2015 10:15:02 AM Error EBEN-TEST-PC.domain.corp 5719 NETLOGON N/A > N/A This computer was not able to set up a secure session with a domain > controller in domain domain due to the following: There are currently > no logon servers available to service the logon request. This may lead > to authentication problems. Make sure that this computer is connected > to the network. If the problem persists, please contact your domain > administrator. ADDITIONAL INFO If this computer is a domain > controller for the specified domain, it sets up the secure session to > the primary domain controller emulator in the specified domain. > Otherwise, this computer sets up the secure session to any domain > controller in the specified domain. > https://support.microsoft.com/en-us/kb/938449 > > 11/2/2015 10:15:11 AM Error EBEN-TEST-PC.domain.corp 1058 Microsoft- > Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM The processing of Group > Policy failed. Windows attempted to read the file > \\domain.corp\SysVol\domain.corp\Policies\{CCD95983-4A18-4AA7-9466- > D95765CC1AD0}\gpt.ini from a domain controller and was not successful. > Group Policy settings may not be applied until this event is resolved. > This issue may be transient and could be caused by one or more of the > following: a) Name Resolution/Network Connectivity to the current > domain controller. b) File Replication Service Latency (a file created > on another domain controller has not replicated to the current domain > controller). c) The Distributed File System (DFS) client has been > disabled. > https://technet.microsoft.com/en-us/library/cc727259(v=ws.10).aspx > > 11/2/2015 10:15:53 AM Error EBEN-TEST-PC.domain.corp 1110 Microsoft- > Windows-GroupPolicy N/A domain\EBEN-TEST-PC The processing of Group > Policy failed. Windows could not determine if the user and computer > accounts are in the same forest. Ensure the user domain name matches > the name of a trusted domain that resides in the same forest as the > computer account. > https://technet.microsoft.com/en-us/library/cc727342(v=ws.10).aspx > > Group policy Logs: > ************** > 11/2/2015 10:15:11 AM Error EBEN-TEST-PC.domain.corp 7017 Microsoft- > Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM The system calls to access > specified file completed. > \\domain.corp\SysVol\domain.corp\Policies\{CCD95983-4A18-4AA7-9466- > D95765CC1AD0}\gpt.ini The call failed after 827 milliseconds. > 11/2/2015 10:15:12 AM Error EBEN-TEST-PC.domain.corp 7000 Microsoft- > Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM Computer boot policy > processing failed for domain\EBEN-TEST-PC$ in 4 seconds. > 11/2/2015 10:15:53 AM Error EBEN-TEST-PC.domain.corp 7001 Microsoft- > Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM User logon policy > processing failed for domain\EBEN-TEST-PC in 0 seconds. > 11/2/2015 10:16:25 AM Error EBEN-TEST-PC.domain.corp 7005 Microsoft- > Windows-GroupPolicy N/A NT AUTHORITY\SYSTEM Manual processing of policy > failed for user domain\EBEN-TEST-PC in 0 seconds. > > Gpresult: > ******* > INFO: The user "domain\user" does not have RSOP data. > > 07/21/2015 02:11:48 AM Error EBEN-TEST-PC.domain 4205 > Microsoft-Windows-NlaSvc Gateway Resolution NT > AUTHORITY\NETWORK SERVICE Gateway resolution failed on interface > {581B9AD1-62E8-4689-9338-E2568B7DD014} for 10.23.199.1 with error: 0x43 > 07/22/2015 02:10:24 AM Error EBEN-TEST-PC.domain 4343 > Microsoft-Windows-NlaSvc Ldap Authenticatio NT > AUTHORITY\NETWORK SERVICE LDAP authentication on interface > {581B9AD1-62E8-4689-9338-E2568B7DD014} (10.23.199.220) failed with > error 0x56 > LDAP errors: > https://support.microsoft.com/en-us/kb/218185 > -----Original Message----- > From: barış tombul <bbtombul at gmail.com> > To: Eben Victor <eben.victor at vcontractor.co.za> > Cc: samba <samba at lists.samba.org> > Subject: Re: [Samba] GPO > Date: Wed, 6 Apr 2016 14:10:10 +0300 > this command >> samba-tool ntacl sysvolreset > 2016-04-06 13:34 GMT+03:00 Eben Victor <eben.victor at vcontractor.co.za>: >> Hi All, >> I create a Samba domain and works it's great, the issue that I have >> is with the GPO's.When applying GPO's then only the computer Policy >> is applied and not the user GPO. I keep on receiving below error. >> Has anybody else perhaps been experiencing the same issues? >> >> C:\>gpupdate /force >> Updating Policy... >> >> User policy could not be updated successfully. The following errors >> were encountered: >> >> The processing of Group Policy failed. Windows could not determine if >> the user and computer accounts are in the same forest. Ensure the >> user domain name matches the name of a trusted domain that resides in >> the same forest as the computer account. >> Computer Policy update has completed successfully. >> >> To diagnose the failure, review the event log or run GPRESULT /H >> GPReport.html from the command line to access information about Group >> Policy results.4 >> >> Kind Regards >> “This e-mail is sent on the Terms and Conditions that can be accessed >> by Clicking on this link https://webmail.vodacom.co.za/tc/default.htm >> l " >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > �This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link https://webmail.vodacom.co.za/tc/default.html " > >I take it that your first DC isn't really called '##SELECTION_END##ZACPRDC002' ? You seem to be using the internal DNS server, with this you can only have one 'dns forwarder' What do you have in /etc/resolv.conf on the DCs ? they should point to each other first then themselves i.e First DC search your.domain nameserver ip.of.second.dc nameserver ip.of.this.dc Second DC search your.domain nameserver ip.of.first.dc nameserver ip.of.this.dc What is in /etc/krb5.conf ? Rowland