samba-4.8.12 on 2 DCs, replication works ... An external admin joined a new PC and the GPOs aren't pulled ... we get something like "user has no rsop data" Additionally if I run the RSAT(?) tool on a windows member server it also has issues connecting to the AD. I can connect by entering a IP of a DC, though. I suspect a missing/wrong DNS entry?
On 03/06/2019 10:22, Stefan G. Weichinger via samba wrote:> samba-4.8.12 on 2 DCs, replication works ... > > An external admin joined a new PC and the GPOs aren't pulled ... > > we get something like "user has no rsop data"Never seen that, but a quick google seems to suggest that the PC isn't using a DC as its nameserver. If this is the case, I suggest you deny the external admin access to the domain as this is pretty basic. Rowland> > Additionally if I run the RSAT(?) tool on a windows member server it > also has issues connecting to the AD. I can connect by entering a IP of > a DC, though. > > I suspect a missing/wrong DNS entry? > >
Am 03.06.19 um 11:40 schrieb Rowland penny via samba:> On 03/06/2019 10:22, Stefan G. Weichinger via samba wrote: >> samba-4.8.12 on 2 DCs, replication works ... >> >> An external admin joined a new PC and the GPOs aren't pulled ... >> >> we get something like "user has no rsop data" > > Never seen that, but a quick google seems to suggest that the PC isn't > using a DC as its nameserver. > > If this is the case, I suggest you deny the external admin access to the > domain as this is pretty basic.;-) the customer has ordered that new PC ... etc etc The DNS IPs should be deployed via (my) DHCP. I couldn't yet check that on the problematic PC --- will do asap via teamviewer.
Am 03.06.19 um 11:40 schrieb Rowland penny via samba:> On 03/06/2019 10:22, Stefan G. Weichinger via samba wrote: >> samba-4.8.12 on 2 DCs, replication works ... >> >> An external admin joined a new PC and the GPOs aren't pulled ... >> >> we get something like "user has no rsop data" > > Never seen that, but a quick google seems to suggest that the PC isn't > using a DC as its nameserver. > > If this is the case, I suggest you deny the external admin access to the > domain as this is pretty basic.2nd thought: that doesn't explain RSAT failing, right? The windows-server uses the correct 2 DC-IPs as DNS.