Stefan G. Weichinger
2019-Jul-26 08:34 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
new thread, old issue been fiddling off-list with tips from Louis over the last days, and putting it back to the list to ask for help from others: 2 samba-4.9.11 DCs 1 samba-4.8.12 DM file server GPOs not working cleanly anymore tried to resync completely etc etc - right now I test gpupdate/gpresult on an older (not productive) W2008R2 server which I use for editing stuff via RSAT/MMC I see a filtered GPO coming from DC2 (=it was read somehow but not executed, OK) but that GPO is NOT visible in the MMC I try to connect directly to DC2, to check things: that GPO isn't there either. showrepl : OK rsync SYSVOL: fine ACLs on SYSVOL: fine according to Louis' script. - "gpupdate /force" shows errors gpresult /h: Something arount "component status" and access denied (sorry, german here) event 105, GroupPolicy ... etc - dozens things tried, I could need some breakthrough here ;-) - I have to admit that I haven't update the admx templates for a long time, if that is relevant (I assume: no)
Stefan G. Weichinger
2019-Jul-26 09:18 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
Am 26.07.19 um 10:34 schrieb Stefan G. Weichinger via samba:> dozens things tried, I could need some breakthrough here ;-)additional info: on a test pc I also get "no RSOP data" ... oh my
L.P.H. van Belle
2019-Jul-26 09:32 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
Hai Stefan, Look at this one. https://pupuweb.com/solved-info-the-user-rsop-data-error-show-gpresult-r-command/ This one might help here more. Also check the output of : gpresult /R And always post the event logs of windows complete. (even if its in german) Because there is more info in there for us then only the event id. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: vrijdag 26 juli 2019 11:19 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] GPO issues - getting SYSVOL cleaned up again > > Am 26.07.19 um 10:34 schrieb Stefan G. Weichinger via samba: > > > dozens things tried, I could need some breakthrough here ;-) > > additional info: on a test pc I also get "no RSOP data" ... oh my > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Stefan G. Weichinger
2019-Jul-26 09:47 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
Am 26.07.19 um 11:32 schrieb L.P.H. van Belle via samba:> Hai Stefan, > > Look at this one. > https://pupuweb.com/solved-info-the-user-rsop-data-error-show-gpresult-r-command/ > > This one might help here more.I don't get that message on every machine. Saw that link as well. Might try on site in a week. RDP ~ not so funny> Also check the output of : gpresult /R> And always post the event logs of windows complete. (even if its in german) > Because there is more info in there for us then only the event id.On the W2008R2 server, logged in as DOMAIN\Administrator: Protokollname: System Quelle: Microsoft-Windows-GroupPolicy Datum: 26.07.2019 11:41:37 Ereignis-ID: 1053 Aufgabenkategorie:Keine Ebene: Fehler Schl?sselw?rter: Benutzer: BUERO\Administrator Computer: PRE01SVBMD01.mydomain.at Beschreibung: Fehler bei der Verarbeitung der Gruppenrichtlinie. Der Benutzername konnte nicht aufgel?st werden. Dies kann mindestens eine der folgenden Ursachen haben: a) Fehler bei der Namensaufl?sung mit dem aktuellen Dom?nencontroller. b) Active Directory-Replikationswartezeit (ein auf einem anderen Dom?nencontroller erstelltes Konto hat nicht auf dem aktuellen Dom?nencontroller repliziert). Ereignis-XML: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" /> <EventID>1053</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>1</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2019-07-26T09:41:37.514125500Z" /> <EventRecordID>917281</EventRecordID> <Correlation ActivityID="{B2C69B1B-AC55-4B46-B739-C06CAF6FA24E}" /> <Execution ProcessID="1008" ThreadID="7124" /> <Channel>System</Channel> <Computer>PRE01SVBMD01.mydomain.at</Computer> <Security UserID="S-1-5-21-2940660672-4062535256-4144655499-500" /> </System> <EventData> <Data Name="SupportInfo1">1</Data> <Data Name="SupportInfo2">2052</Data> <Data Name="ProcessingMode">0</Data> <Data Name="ProcessingTimeInMilliseconds">1670</Data> <Data Name="ErrorCode">5</Data> <Data Name="ErrorDescription">Zugriff verweigert </Data> </EventData> </Event> --- also this: Protokollname: System Quelle: LsaSrv Datum: 26.07.2019 11:40:58 Ereignis-ID: 40961 Aufgabenkategorie:Keine Ebene: Warnung Schl?sselw?rter: Benutzer: SYSTEM Computer: PRE01SVBMD01.mydomain.at Beschreibung: Das Sicherheitssystem konnte keine sichere Verbindung mit dem Server ldap/pre01svdeb02.mydomain.at/mydomain.at at mydomain.AT herstellen. Es war kein Authentifizierungsprotokoll verf?gbar. Ereignis-XML: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>40961</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2019-07-26T09:40:58.256200100Z" /> <EventRecordID>917279</EventRecordID> <Correlation /> <Execution ProcessID="692" ThreadID="6928" /> <Channel>System</Channel> <Computer>PRE01SVBMD01.mydomain.at</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="Target">ldap/pre01svdeb02.mydomain.at/mydomain.at at mydomain.AT</Data> </EventData> </Event> That fits your ldap.conf/LDAP suggestion, right? off for lunch now, checking back in ~2 hrs ... hopefully happier then thanks!
L.P.H. van Belle
2019-Jul-26 10:09 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
One more i found is : http://www.edugeek.net/forums/windows-7/145171-event-id-1053-group-policy.html But i dont expect that to be your problem, just do checkit. And review these steps https://www.dell.com/support/article/nl/nl/nldhs1/sln163816/troubleshooting-group-policy-processing-errors-in-an-active-directory-domain?lang=en I can type it all, but then you get more typo's ;-) Above links are the things i would check first. And do update you ADMX files with latest for win10 1903. Now im out for lunch ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: vrijdag 26 juli 2019 11:48 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] GPO issues - getting SYSVOL cleaned up again > > Am 26.07.19 um 11:32 schrieb L.P.H. van Belle via samba: > > Hai Stefan, > > > > Look at this one. > > > https://pupuweb.com/solved-info-the-user-rsop-data-error-show- > gpresult-r-command/ > > > > This one might help here more. > > I don't get that message on every machine. > > Saw that link as well. Might try on site in a week. RDP ~ not so funny > > > Also check the output of : gpresult /R > > > And always post the event logs of windows complete. (even > if its in german) > > Because there is more info in there for us then only the event id. > > On the W2008R2 server, logged in as DOMAIN\Administrator: > > > > Protokollname: System > Quelle: Microsoft-Windows-GroupPolicy > Datum: 26.07.2019 11:41:37 > Ereignis-ID: 1053 > Aufgabenkategorie:Keine > Ebene: Fehler > Schl?sselw?rter: > Benutzer: BUERO\Administrator > Computer: PRE01SVBMD01.mydomain.at > Beschreibung: > Fehler bei der Verarbeitung der Gruppenrichtlinie. Der Benutzername > konnte nicht aufgel?st werden. Dies kann mindestens eine der folgenden > Ursachen haben: > a) Fehler bei der Namensaufl?sung mit dem aktuellen Dom?nencontroller. > b) Active Directory-Replikationswartezeit (ein auf einem anderen > Dom?nencontroller erstelltes Konto hat nicht auf dem aktuellen > Dom?nencontroller repliziert). > Ereignis-XML: > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > <System> > <Provider Name="Microsoft-Windows-GroupPolicy" > Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" /> > <EventID>1053</EventID> > <Version>0</Version> > <Level>2</Level> > <Task>0</Task> > <Opcode>1</Opcode> > <Keywords>0x8000000000000000</Keywords> > <TimeCreated SystemTime="2019-07-26T09:41:37.514125500Z" /> > <EventRecordID>917281</EventRecordID> > <Correlation > ActivityID="{B2C69B1B-AC55-4B46-B739-C06CAF6FA24E}" /> > <Execution ProcessID="1008" ThreadID="7124" /> > <Channel>System</Channel> > <Computer>PRE01SVBMD01.mydomain.at</Computer> > <Security > UserID="S-1-5-21-2940660672-4062535256-4144655499-500" /> > </System> > <EventData> > <Data Name="SupportInfo1">1</Data> > <Data Name="SupportInfo2">2052</Data> > <Data Name="ProcessingMode">0</Data> > <Data Name="ProcessingTimeInMilliseconds">1670</Data> > <Data Name="ErrorCode">5</Data> > <Data Name="ErrorDescription">Zugriff verweigert </Data> > </EventData> > </Event> > > > > --- > > > > also this: > > > Protokollname: System > Quelle: LsaSrv > Datum: 26.07.2019 11:40:58 > Ereignis-ID: 40961 > Aufgabenkategorie:Keine > Ebene: Warnung > Schl?sselw?rter: > Benutzer: SYSTEM > Computer: PRE01SVBMD01.mydomain.at > Beschreibung: > Das Sicherheitssystem konnte keine sichere Verbindung mit dem Server > ldap/pre01svdeb02.mydomain.at/mydomain.at at mydomain.AT > herstellen. Es war > kein Authentifizierungsprotokoll verf?gbar. > Ereignis-XML: > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > <System> > <Provider Name="LsaSrv" > Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> > <EventID>40961</EventID> > <Version>0</Version> > <Level>3</Level> > <Task>0</Task> > <Opcode>0</Opcode> > <Keywords>0x8000000000000000</Keywords> > <TimeCreated SystemTime="2019-07-26T09:40:58.256200100Z" /> > <EventRecordID>917279</EventRecordID> > <Correlation /> > <Execution ProcessID="692" ThreadID="6928" /> > <Channel>System</Channel> > <Computer>PRE01SVBMD01.mydomain.at</Computer> > <Security UserID="S-1-5-18" /> > </System> > <EventData> > <Data > Name="Target">ldap/pre01svdeb02.mydomain.at/mydomain.at at mydomain.AT</Data>> </EventData> > </Event> > > > That fits your ldap.conf/LDAP suggestion, right? > > > > off for lunch now, checking back in ~2 hrs ... hopefully happier then > > thanks! > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >