Hi Rowland,
thank you very much for fast answer. You are right, idmap.ldb backup and
transfer to other controllers helped. Now owner:group of all sysvol files (and
folders) are the same at all DCs and PC can process all GPOs. So everything is
working now. Thank you very much for the help.
--
Greetings, ladas
Dne pond?l? 25. srpna 2025 11:34:37 CEST, Rowland Penny via samba
napsal(a):> On Mon, 25 Aug 2025 10:57:38 +0200
> ladas via samba <samba at lists.samba.org> wrote:
>
> > Hi everybody.
> >
> > A month ago I "renew" our addc controllers. I installed new,
fresh
> > samba servers based on devuan5 including samba 4.21.5, connect them
> > to the domain, move FSMO to new master controller and disconnect old
> > controllers from domain. I have three controllers in total. One
> > master, one backup at the same location and third is at remote place
> > connected through vpn.
>
>
> First, you do not have a master or backup DC, you just have three DCs.
> All DCs are equal apart from the FSMO roles and they can be on any DC.
>
> > Last week I discovered the GPO are not
> > processed at one PC at remote office. gpupdate /force generate the
> > message:
> >
> > The computer policy could not be successfully updated. The following
> > problems occurred: Error processing the group policy. The attempt to
> > read the file
> >
?\\domain.com\sysvol\domain.com\Policies\{F93CC6D6-748A-4B1A-8717-D2DA0C9D40B9}\gpt.ini?
> > from a domain controller was unsuccessful. Group policy settings
> > cannot be applied until this event is resolved. This may be a
> > temporary problem that can have at least one of the following causes:
> > a) Name resolution/network connection with the current domain
> > controller. b) File Replication Service latency (a file created on
> > another domain controller has not replicated to the current domain
> > controller). c) The Distributed File System (DFS) client has been
> > disabled.
> >
> > The user policy could not be successfully updated. The following
> > problems occurred: Error processing the group policy. The attempt to
> > read the file
> >
?\\domain.com\sysvol\domain.com\Policies\{F93CC6D6-748A-4B1A-8717-D2DA0C9D40B9}\gpt.ini?
> > from a domain controller was unsuccessful. Group policy settings
> > cannot be applied until this event is resolved. This may be a
> > temporary problem that can have at least one of the following causes:
> > a) Name resolution/network connection with the current domain
> > controller. b) File replication service wait time (a file created on
> > another domain controller has not replicated to the current domain
> > controller). c) The Distributed File System (DFS) client has been
> > disabled.
> >
> > To diagnose the error, read the event log or run the command
> > ?GPRESULT /H GPReport.html? to access information about Group Policy
> > results.
> >
> >
> > I looked at the servers and discovered, the GPOs' in backup and
> > remote addc controller are not owned by "domain\domain
admins" like
> > in master controller but by some domain user. The funny is at each
> > controller the user is different.
> >
> > GPOs' are synced by rsync in crontab: rsync -XAavz --delete-after
> > --password-file=/var/lib/samba/private/rsync-sysvol.secret
> > rsync://sysvol-replicator at 10.0.0.248/SysVol/ /var/lib/samba/sysvol/
>
> > /var/log/sysvol-replication.log 2>&1
> >
> > cron runs rsync as a root, no rules are synced (by log) but owner and
> > group of the GPOs' are changed each the time.
> >
> > Can somebody give me advice, how to avoid this behaviour? Thank you
> > very much for any help.
>
> You appear to have missed a step, I suggest you read this:
>
> https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)
>
> Rowland
>
>
-----------------------------------------