L.P.H. van Belle
2019-Aug-01 07:13 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
Good morning Stefan. Your welkom. I see everything worked out now. Great !! Well done, you made it happen. :-) What i suggest now, at least these are the steps i always do to make sure the DC's are having a exact same setup. First, i clear all my logs and reboot one server. Wait 15-30 min, then go through all you logs, fix every warning/error. Make it perfect. Reboot again, repeat this untill its 100% correct booting. I suggest one more thing and that is, you check the following. Check if you zones have both the NS records. Startup the DNS tool. Goto you primary dnszone ( and repeat for all other zones ) Do you see all your DC's as NS record in the zone, then its ok, if not.. Klik and Properties on the zone. ( left panel ) Goto Tab "Nameservers", add the other. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: woensdag 31 juli 2019 21:25 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] GPO issues - getting SYSVOL cleaned up again > > Am 31.07.19 um 19:56 schrieb Stefan G. Weichinger via samba: > > Am 31.07.19 um 19:19 schrieb Stefan G. Weichinger via samba: > > > >> but so far no entries there > > > > added that PTR > > looks good to me now! > > > > GPOs are applied, all MMCs etc work without error > > > > I switched the direction of the sysvol-rsync ... DEB03 > keeps FSMO-roles > > for now. > > > > I now test some GPOs that I actually need there. > > still fine behavior ... > > I assume and hope that this was the solution. > > A big and official THANK YOU to Louis and Rowland for the patience and > help here! > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Stefan G. Weichinger
2019-Aug-01 10:30 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
Am 01.08.19 um 09:13 schrieb L.P.H. van Belle via samba:> Good morning Stefan. > > Your welkom. I see everything worked out now. Great !! > Well done, you made it happen. :-)thanks a lot. The issues there were there for months at least ... glad with the progress. Not fully done, see below ...> What i suggest now, at least these are the steps i always do to make sure the DC's are having a exact same setup. > First, i clear all my logs and reboot one server. > Wait 15-30 min, then go through all you logs, fix every warning/error. > Make it perfect. > Reboot again, repeat this untill its 100% correct booting.It ain't perfect yet, but I assume this is related to the computer accounts and might be solved be rejoining these machines. I see stuff like: Aug 01 10:04:38 pre01svdeb02 samba[17958]: task[dcesrv][17958]: Failed to modify SPNs on CN=ROHRHOFER-PC,OU=Pilsbacher-Computer,DC=pilsbacher,DC=at: acl: spn validation failed for spn[TERMSRV/ROHRHOFER-PC.mydomain.at] uac[0x1000] account[ROHRHOFER-PC$] hostname[ROHRHOFER-PC.BUERO] nbname[BUERO] ntds[(null)] forest[mydomain.at] domain[mydomain.at]> I suggest one more thing and that is, you check the following. > Check if you zones have both the NS records. > Startup the DNS tool. > > Goto you primary dnszone ( and repeat for all other zones ) > Do you see all your DC's as NS record in the zone, then its ok, if not..That's OK What I don't like: in the reverse lookup zone there is one A-record ... for the pre01svdeb03 Name I think there should be no A-record in the rev-lookup-zone ... and if yes, there should be 2 then, one for each DC, right? So I think that record should be removed, OK?
L.P.H. van Belle
2019-Aug-01 11:15 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: donderdag 1 augustus 2019 12:30 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] GPO issues - getting SYSVOL cleaned up again > > Am 01.08.19 um 09:13 schrieb L.P.H. van Belle via samba: > > Good morning Stefan. > > > > Your welkom. I see everything worked out now. Great !! > > Well done, you made it happen. :-) > > thanks a lot. > The issues there were there for months at least ... glad with > the progress. > > Not fully done, see below ... > > > What i suggest now, at least these are the steps i always > do to make sure the DC's are having a exact same setup. > > First, i clear all my logs and reboot one server. > > Wait 15-30 min, then go through all you logs, fix every > warning/error. > > Make it perfect. > > Reboot again, repeat this untill its 100% correct booting. > > It ain't perfect yet, but I assume this is related to the computer > accounts and might be solved be rejoining these machines. > > I see stuff like: > > Aug 01 10:04:38 pre01svdeb02 samba[17958]: > task[dcesrv][17958]: Failed > to modify SPNs on > CN=ROHRHOFER-PC,OU=Pilsbacher-Computer,DC=pilsbacher,DC=at: acl: spn > validation failed for spn[TERMSRV/ROHRHOFER-PC.mydomain.at] > uac[0x1000] > account[ROHRHOFER-PC$] hostname[ROHRHOFER-PC.BUERO] nbname[BUERO] > ntds[(null)] forest[mydomain.at] domain[mydomain.at] >In this case, you can check for the rights on that pc object. Verify A ( and optional PTR ) It is know that in a few cases we are missing SPN's. Are you pc's updating there own A records or is this done by dhcp server. ( or both ) And/or You might have 2 pc's with the same pcname. Best option in my opinion, remove this pc from the domain, rename the pc. Reboot, run sysprep and re-join.> > > > I suggest one more thing and that is, you check the following. > > Check if you zones have both the NS records. > > Startup the DNS tool. > > > > Goto you primary dnszone ( and repeat for all other zones ) > > Do you see all your DC's as NS record in the zone, then its > ok, if not.. > > That's OK > > What I don't like: > > in the reverse lookup zone there is one A-record ... for the pre01svdeb03 Name > > I think there should be no A-record in the rev-lookup-zone ... and if yes, there should be 2 then, one for each DC, right? > > So I think that record should be removed, OK?No, you should add the other DC also. Source: https://simpledns.com/help/ns-records , line 1 and 2. Greetz, Louis
Stefan G. Weichinger
2019-Aug-01 11:25 UTC
[Samba] GPO issues - getting SYSVOL cleaned up again
Am 01.08.19 um 13:15 schrieb L.P.H. van Belle via samba:> In this case, you can check for the rights on that pc object. > Verify A ( and optional PTR ) > It is know that in a few cases we are missing SPN's. > > Are you pc's updating there own A records or is this done by dhcp server. > ( or both ) > > And/or You might have 2 pc's with the same pcname. > > Best option in my opinion, remove this pc from the domain, rename the pc. > Reboot, run sysprep and re-join.OK. We think of new naming there anyway, so this might be part of that operation then.>> in the reverse lookup zone there is one A-record ... for the pre01svdeb03 Name >> >> I think there should be no A-record in the rev-lookup-zone ... and if yes, there should be 2 then, one for each DC, right? >> >> So I think that record should be removed, OK? > > No, you should add the other DC also. > Source: https://simpledns.com/help/ns-records , line 1 and 2.aha ... wow So I added: pre01svdeb02 Host(A) 192.168.16.205 to the zone 16.168.192.in-addr.arpa - I wonder if this will still be correct in a few months when the next issues happen :-P thanks, S