Rowland penny
2021-Feb-01 15:54 UTC
[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
On 01/02/2021 15:41, me at tdiehl.org wrote:> On Fri, 29 Jan 2021, Rowland penny via samba wrote: > >> On 29/01/2021 15:36, Marco Shmerykowsky via samba wrote: >>> >>> ?On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote: >>>> ?2) samba-tool sysvol reset on dc with FSMO. (dc1) >>> >>> ?On the SambaWiki for Sysvolreset it states: >>> >>> ?????Advice via mailing list (as of May 2018) >>> >>> ?????(courtesy of Rowland Penny) >>> >>> ?????If you have added any custom GPOs, never ever use >>> ?????sysvolcheck or sysvolreset >>> >>> ?I have GPO's for drive mapping and screen background. >>> ?I'd assume they qualify as "custom" >>> >>> ?Should I ir shouldn't I run 'samba-tool ntacl sysvolreset'? >>> >> OK, I have updated that wikipage, it now says: >> >> If you have added any custom GPOs and given Domain Admins a gidNumber >> attribute, never ever use sysvolcheck or sysvolreset, this because >> this turns the windows group into a Unix group. >> ''(You are now probably thinking 'what?', a group is just a group, >> right ? Well, no, a Windows group can do something that no Unix group >> can, it can own files and directories and guess what needs to own >> files and directories in sysvol ??)'' >> >> >> If you have added any GPO's and haven't given Domain Admins a >> gidNumber attribute, then you can run sysvolreset. > > What about the case where you have custom GPO's but have NOT given > Domain Admins > a gidNumber? For instance after you join a new DC to the domain. > > Regards, >I don't really understand that, if you join a new DC to a domain where Domain Admins has a gidNumber, then Domain Admins on the new DC will have a gidNumber, but if Domain Admins doesn't have a gidNumber in the domain, then Domain Admins will not have a gidNumber? on the new DC. Rowland
me at tdiehl.org
2021-Feb-02 03:54 UTC
[Samba] GPO Issue after adding second DC -> winning gpo Result: Failure (Error Code: 0x80070035)
On Mon, 1 Feb 2021, Rowland penny via samba wrote:> On 01/02/2021 15:41, me at tdiehl.org wrote: >> On Fri, 29 Jan 2021, Rowland penny via samba wrote: >> >>> On 29/01/2021 15:36, Marco Shmerykowsky via samba wrote: >>>> >>>> ?On 1/29/2021 2:58 AM, L.P.H. van Belle via samba wrote: >>>>> ?2) samba-tool sysvol reset on dc with FSMO. (dc1) >>>> >>>> ?On the SambaWiki for Sysvolreset it states: >>>> >>>> ?????Advice via mailing list (as of May 2018) >>>> >>>> ?????(courtesy of Rowland Penny) >>>> >>>> ?????If you have added any custom GPOs, never ever use >>>> ?????sysvolcheck or sysvolreset >>>> >>>> ?I have GPO's for drive mapping and screen background. >>>> ?I'd assume they qualify as "custom" >>>> >>>> ?Should I ir shouldn't I run 'samba-tool ntacl sysvolreset'? >>>> >>> OK, I have updated that wikipage, it now says: >>> >>> If you have added any custom GPOs and given Domain Admins a gidNumber >>> attribute, never ever use sysvolcheck or sysvolreset, this because this >>> turns the windows group into a Unix group. >>> ''(You are now probably thinking 'what?', a group is just a group, right >>> ? Well, no, a Windows group can do something that no Unix group can, it >>> can own files and directories and guess what needs to own files and >>> directories in sysvol ??)'' >>> >>> >>> If you have added any GPO's and haven't given Domain Admins a gidNumber >>> attribute, then you can run sysvolreset. >> >> What about the case where you have custom GPO's but have NOT given Domain >> Admins >> a gidNumber? For instance after you join a new DC to the domain. >> >> Regards, >> > > I don't really understand that, if you join a new DC to a domain where Domain > Admins has a gidNumber, then Domain Admins on the new DC will have a > gidNumber, but if Domain Admins doesn't have a gidNumber in the domain, then > Domain Admins will not have a gidNumber? on the new DC.OK, sorry for not being clear. Let me rephrase the question, If I have not given Domain Admins a gidNumber but I have custom GPO's should I run sysvolreset after joining a new DC to the domain and setting up osync or whatever to sync the sysvols? Based on what you wrote above, it appears to me that I should run sysvolreset in my case but I want to be sure I am understanding correctly. Regards, -- Tom me at tdiehl.org