L.P.H. van Belle
2019-Jul-31 15:33 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
Hai, And thanks for the other check i needed to know if the A record did exist.>> ldap1 CNAME pre01svdeb02 >> ldap2 CNAME pre01svdeb03 >sorry, typo -------------^Yes i was expecting that. ;-) What i see, all SOA record and serialnr are same where is should be so thats ok. What i noticed is this part. dig a dc.pilsbacher.at @192.168.16.205/206 replies. DNS1 ( DC1 /pre01svdeb02 (old DC) ) : A 192.168.16.205 dc.pilsbacher.at <<< OLD NAME REPLY. DNS2 ( DC2 /pre01svdeb03 ) : A 192.168.16.206 pre01svdeb03.pilsbacher.at Both DNS replies the same on lookup A dc.pilsbacher.at to 192.168.16.205 But your PTR Lookup, replies different. dig -x 192.168.16.205 @192.168.16.205 205.16.168.192.in-addr.arpa. 900 IN PTR PRE01SVDEB02.pilsbacher.at. <<< NEW NAME REPLY. dig -x 192.168.16.205 @192.168.16.206 205.16.168.192.in-addr.arpa. 900 IN PTR PRE01SVDEB02.pilsbacher.at. <<< NEW NAME REPLY. And the problem your hitting is as far i can see from a buggy samba version in the past. How i see that. PRE01SVDEB02 and pre01svdeb03 The CAPS and non-caps. And now im getting flashbacks.. Ive been here before, when i accedently added a new ad with an existing name or IP. :-// 3-4 years ago.. Now this is One for in the evening.. (sorry), but that is the best way to fix it. Which is the DC with FSMO roles, if its DC1 then move them to pre01svdeb03.pilsbacher.at Remove/purge this DC and join clean again. ( no need to reinstall os etc. just samba ) DC1 systemctl stop samba-ad-dc Backup/remove the files from /var/lib/samba /var/cache/samba and its subfolders! And /etc/samba/smb.conf -- and stop ... Now, go cleanup with the windows DNS tool. ( connect to DC2 ) Verify ALL zones and especially : _msdcs.pilsbacher.at. Remove the faulty GUID and ip/servernames from every thing sub folder etc there. Remove the A record to DC. Remove the PTR record to PRE01SVDEB02 Remove everything related to DC PRE01SVDEB02 and 192.168.16.205 Done, then verify it again, make very sure all records are gone. I suggest to verify /etc/hosts /etc/resolv.conf also but these should be fine. Point you first DNS entry in /etc/resolv.conf to the other DC 192.168.16.206 (pre01svdeb03.pilsbacher.at) kinit Administrator And join the domain again. ! DONT start samba yet. Stop samba on DC2, copy idmap file to DC1 Now start samba on DC1 And sync sysvol again. And set/verify the rights from windows again on sysvol/netlogon. And now everything is fixed and correct. I spent a long time before i did above, and same as you, a few part kept coming back wrong. This is in the end the best i can think/recall in fixing it. I wish i had better news, but in the end, you will have a good working setup. Greetz, Louis
Stefan G. Weichinger
2019-Jul-31 15:50 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
Am 31.07.19 um 17:33 schrieb L.P.H. van Belle via samba:> Hai, > > And thanks for the other check i needed to know if the A record did exist. > >>> ldap1 CNAME pre01svdeb02 >>> ldap2 CNAME pre01svdeb03 >> sorry, typo -------------^ > Yes i was expecting that. ;-) > > What i see, all SOA record and serialnr are same where is should be so thats ok. > What i noticed is this part. > > dig a dc.pilsbacher.at @192.168.16.205/206 replies. > > DNS1 ( DC1 /pre01svdeb02 (old DC) ) : A 192.168.16.205 dc.pilsbacher.at <<< OLD NAME REPLY. > DNS2 ( DC2 /pre01svdeb03 ) : A 192.168.16.206 pre01svdeb03.pilsbacher.at > > Both DNS replies the same on lookup A dc.pilsbacher.at to 192.168.16.205 > But your PTR Lookup, replies different. > > dig -x 192.168.16.205 @192.168.16.205 > 205.16.168.192.in-addr.arpa. 900 IN PTR PRE01SVDEB02.pilsbacher.at. <<< NEW NAME REPLY. > > dig -x 192.168.16.205 @192.168.16.206 > 205.16.168.192.in-addr.arpa. 900 IN PTR PRE01SVDEB02.pilsbacher.at. <<< NEW NAME REPLY. > > And the problem your hitting is as far i can see from a buggy samba version in the past. > How i see that. PRE01SVDEB02 and pre01svdeb03 The CAPS and non-caps. > And now im getting flashbacks.. > > Ive been here before, when i accedently added a new ad with an existing name or IP. > :-// 3-4 years ago.. > Now this is One for in the evening.. (sorry), but that is the best way to fix it. > > Which is the DC with FSMO roles, if its DC1 then move them to pre01svdeb03.pilsbacher.at > Remove/purge this DC and join clean again. ( no need to reinstall os etc. just samba ) > > DC1 > systemctl stop samba-ad-dc > Backup/remove the files from /var/lib/samba /var/cache/samba and its subfolders! > And /etc/samba/smb.conf > > -- and stop ... > Now, go cleanup with the windows DNS tool. ( connect to DC2 ) > Verify ALL zones and especially : _msdcs.pilsbacher.at. > Remove the faulty GUID and ip/servernames from every thing sub folder etc there. > > Remove the A record to DC. > Remove the PTR record to PRE01SVDEB02 > Remove everything related to DC PRE01SVDEB02 and 192.168.16.205 > > Done, then verify it again, make very sure all records are gone. > > I suggest to verify /etc/hosts /etc/resolv.conf also but these should be fine. > Point you first DNS entry in /etc/resolv.conf to the other DC 192.168.16.206 (pre01svdeb03.pilsbacher.at) > > kinit Administrator > And join the domain again. > ! DONT start samba yet. > > Stop samba on DC2, copy idmap file to DC1 > > Now start samba on DC1 > And sync sysvol again. > And set/verify the rights from windows again on sysvol/netlogon. > > And now everything is fixed and correct. > > I spent a long time before i did above, and same as you, a few part kept coming back wrong. > > This is in the end the best i can think/recall in fixing it. > > I wish i had better news, but in the end, you will have a good working setup.ok, thank you very much so far. I read this 2 times for a first overview and will decide if I continue to work on this now in the evening (very likely! I just have to take some short break before) Sure, the FSMO role is on the problematic first DC. I will rethink all this and maybe start in the next hour or so. once more: thank you for all the help (so far ;-) more needed afaik)
Stefan G. Weichinger
2019-Jul-31 15:54 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
Am 31.07.19 um 17:33 schrieb L.P.H. van Belle via samba:> Which is the DC with FSMO roles, if its DC1 then move them to pre01svdeb03.pilsbacher.at > Remove/purge this DC and join clean again. ( no need to reinstall os etc. just samba )What? uninstall samba? or unjoin from domain only? "reinstall samba" ? pls specify
Stefan G. Weichinger
2019-Jul-31 16:03 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
Am 31.07.19 um 17:54 schrieb Stefan G. Weichinger via samba:> Am 31.07.19 um 17:33 schrieb L.P.H. van Belle via samba: > >> Which is the DC with FSMO roles, if its DC1 then move them to pre01svdeb03.pilsbacher.at >> Remove/purge this DC and join clean again. ( no need to reinstall os etc. just samba ) > > What? > > uninstall samba? > or unjoin from domain only? > > "reinstall samba" ? > > pls specifyAh, I understand this (correct me): mv FSMO-roles to pre01svdeb03 unjoin stop and totally cleanup pre01svdeb02 ... cleanup DNS at last rejoin pre01svdeb02 (= essentially joining a new DC here, right?) . correct ?