Am 09.02.22 um 16:32 schrieb Victor Rodriguez via samba:>
> On 2/9/22 14:32, Matthias Leopold via samba wrote:
>> Hi,
>>
>> is there a way to determine from which DC a GPO is applied in Windows
>> when running "gpupdate" or from the automatic(?) updates?
>> For reasons I don't understand GPO updates on my Windows 2019
members
>> only work from the PDC Emulator DC. On the other DC I get errors about
>> "Permission denied" (although sysvol permissions are the same
in both
>> DCs and "samba-tool ntacl sysvolcheck" is happy). "Group
Policy
>> Management" in Windows points to the PDC Emulator DC, but the
updates
>> seem to randomly choose a DC (which is annoying when updates only work
>> from one DC).
>>
>> thx for advice
>> Matthias
>
>
> The GPO client will try to read GPO from domain.local\sysvol\Policies.
> In DNS, your A record for domain.local will probably resolve to every
> DC, son the DNS client will use one of them randomly. Use the client
> host file to fix the IP to resolve to when using the name domain.local.
> You have to fix those "permission denied" errors.
>
> Meanwhile, change your DNS and leave just domain.local A record pointing
> to the working DC. You will have to flush DNS client cache too.
>
> How are you testing access to sysvol on every DC?
>
> Regards.
>
>
My GPO client is connecting to the full domain name for some reason,
this resolves to both DCs.
I'm not testing access to sysvol on every DC, but I'm watching smbd
logfiles on both DCs and see when the computer connects for the GPO update.
The "permission denied" errors are a different story again. The
UID/GID
numbers I see in the log line for the connecting computer are completely
strange. They are from the 3000000 range and when I resolve them with
wbinfo, they would be user groups(?) or can't be resolved at all. This
is the same strange behaviour on both DCs, although on one DC access is
OK, on the other it isn't. File system permissions on sysvol folder are
OK (when using getfacl) and comparing it to recommendations from
https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh,
also when reading them from Windows.
Matthias