Hello James, Thanks for your suggestion. When we had two servers in the pool, we were pushing GPO using rsync from PDC at every 30 minutes. However when we added the two more domain controllers, our rsync script turned to be a pull from PDC every 30 minutes. Would this have made those policy objects inconsistent? We have set up sysvol replication using rsync unidirectional that is a push from pdc.*******.com to dc1.*******.com every 30 minutes. However on the dc2.*******.com and dc3.********.com the cronjob executes on dc2.*******.com and dc3.*********.com every 30 minutes and pulls the contents of sysvol. cron job is working properly on all servers. Surprising part is, in a specific network the client PCs fail to read and apply GPO. Whereas in other network, we find it is working properly. Command "gpresult /r" on client shows Group Policy applied from "pdc.******.com" whereas the logon sever remains either dc1 or dc2 or dc3 or pdc. The same pdc.********.com throws error in a specific network. This makes us think whether it is a network issue. One more important observation is if we stop samba-ad-dc on either dc2 or dc3 (two more domain controllers) even the specific network segment that is giving problem also works properly. This gives makes us to suspect the "GPO Pull" is making GPO inconsistent with PDC. Probably we have to push the GPO to all additional domain controllers from pdc.*********.com using rsync? In fact, we have even tested, "software push" to clients using GPO, startup scripts etc., and every thing was working properly till inclusion of dc2 and dc3. Your suggestions are welcome. -- Thanks & Regards, Anantha Raghava Do not print this e-mail unless required. Save Paper & trees. On 08/12/17 6:44 PM, lingpanda101 via samba wrote:> On 12/7/2017 7:53 PM, Anantha Raghava via samba wrote: >> Hi, >> >> On two of our 4 Domain Controller Servers, the Group Policy Objects >> have developed some issues. Windows are reporting that Group Policy >> objects cannot be read. >> >> Any recommendation to reset the Group Policy Objects. We are taking >> daily backup using Samba_Backup script. >> >> In the past, there was a recommendation not use "samba-tool ntacl >> sysvolreset". Can we use it now. By the way we are using Samba >> version 4.7.1. >> >> > You can use sysvolreset safely. However I would check your sysvol > replication process and verify no errors are being reported. >
On 12/8/2017 9:39 PM, Anantha Raghava via samba wrote:> Hello James, > > Thanks for your suggestion. > > When we had two servers in the pool, we were pushing GPO using rsync > from PDC at every 30 minutes. However when we added the two more > domain controllers, our rsync script turned to be a pull from PDC > every 30 minutes. Would this have made those policy objects inconsistent? > > We have set up sysvol replication using rsync unidirectional that is a > push from pdc.*******.com to dc1.*******.com every 30 minutes. However > on the dc2.*******.com and dc3.********.com the cronjob executes on > dc2.*******.com and dc3.*********.com every 30 minutes and pulls the > contents of sysvol. cron job is working properly on all servers. > > Surprising part is, in a specific network the client PCs fail to read > and apply GPO. Whereas in other network, we find it is working > properly. Command "gpresult /r" on client shows Group Policy applied > from "pdc.******.com" whereas the logon sever remains either dc1 or > dc2 or dc3 or pdc. The same pdc.********.com throws error in a > specific network. This makes us think whether it is a network issue. > One more important observation is if we stop samba-ad-dc on either dc2 > or dc3 (two more domain controllers) even the specific network segment > that is giving problem also works properly. This gives makes us to > suspect the "GPO Pull" is making GPO inconsistent with PDC. Probably > we have to push the GPO to all additional domain controllers from > pdc.*********.com using rsync? > > In fact, we have even tested, "software push" to clients using GPO, > startup scripts etc., and every thing was working properly till > inclusion of dc2 and dc3. > > Your suggestions are welcome. >Anatha, You shouldn't be pushing the sysvol replication but rather pulling them from for your DC you have chosen to make all GPO changes. from. Did you follow the wiki here? https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround I would also reduce your replication time to 5 minutes as per the wiki. You are also using terms such as PDC and DC it appears interchangeably. I'm assuming you have a pure DC environment and not a PDC. -- -- James
Hello James, After reducing the rsync execution time to 5 minutes from 30 minutes, the problem seems to have got fixed. However, we will continue to observe the setup for week. Yes, I followed the https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround. The only difference being I am not using xinitd or a password file. I have created the ssh keys between all servers and rsync can login without any password. PDC and DC1 etc., are just names for us to identify. We have all DC / pure DC environment. We are running samba version 4.7.1. We will upgrade it to 4.7.3 shortly. Thanks for your suggestions and support. -- Thanks & Regards, Anantha Raghava Do not print this e-mail unless required. Save Paper & trees. On 11/12/17 6:43 PM, lingpanda101 via samba wrote:> On 12/8/2017 9:39 PM, Anantha Raghava via samba wrote: >> Hello James, >> >> Thanks for your suggestion. >> >> When we had two servers in the pool, we were pushing GPO using rsync >> from PDC at every 30 minutes. However when we added the two more >> domain controllers, our rsync script turned to be a pull from PDC >> every 30 minutes. Would this have made those policy objects >> inconsistent? >> >> We have set up sysvol replication using rsync unidirectional that is >> a push from pdc.*******.com to dc1.*******.com every 30 minutes. >> However on the dc2.*******.com and dc3.********.com the cronjob >> executes on dc2.*******.com and dc3.*********.com every 30 minutes >> and pulls the contents of sysvol. cron job is working properly on all >> servers. >> >> Surprising part is, in a specific network the client PCs fail to read >> and apply GPO. Whereas in other network, we find it is working >> properly. Command "gpresult /r" on client shows Group Policy applied >> from "pdc.******.com" whereas the logon sever remains either dc1 or >> dc2 or dc3 or pdc. The same pdc.********.com throws error in a >> specific network. This makes us think whether it is a network issue. >> One more important observation is if we stop samba-ad-dc on either >> dc2 or dc3 (two more domain controllers) even the specific network >> segment that is giving problem also works properly. This gives makes >> us to suspect the "GPO Pull" is making GPO inconsistent with PDC. >> Probably we have to push the GPO to all additional domain controllers >> from pdc.*********.com using rsync? >> >> In fact, we have even tested, "software push" to clients using GPO, >> startup scripts etc., and every thing was working properly till >> inclusion of dc2 and dc3. >> >> Your suggestions are welcome. >> > Anatha, > > You shouldn't be pushing the sysvol replication but rather pulling > them from for your DC you have chosen to make all GPO changes. from. > Did you follow the wiki here? > > https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround > > > I would also reduce your replication time to 5 minutes as per the wiki. > > You are also using terms such as PDC and DC it appears > interchangeably. I'm assuming you have a pure DC environment and not a > PDC. > >