Author Topic: [SOLVED] GPO Migration, access denied  (Read 421 times)

luke6283

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
[SOLVED] GPO Migration, access denied
« on: October 21, 2019, 05:29:47 pm »
Hello,
I created a new Zentyal server and went throught the process to make it the primary zentyal server. I transferred the FSMO roles as well. When I try to restore the backup of the GPOs in the GPO Console, it is telling me access denied on the new server. Please help!!
« Last Edit: December 05, 2019, 07:09:31 pm by luke6283 »

doncamilo

  • Zen Samurai
  • ****
  • Posts: 392
  • Karma: +112/-1
    • View Profile
Re: GPO Migration, access denied
« Reply #1 on: October 22, 2019, 02:03:54 pm »
 :)

Did you install Zentyal as additional domain controller, isn't it? How did you promote Zentyal? Did you use the script provided by Zentyal?

Besides note that Samba4 doesn't replicates the SYSVOL. The samba4 guys recommends this workaround https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround

I'll need some more information in order to help you in a more concrete way.

Cheers!
"Tanta salud goces como bondad abrigues en tu corazón"

Don Camilo.

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

luke6283

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: GPO Migration, access denied
« Reply #2 on: October 22, 2019, 08:11:51 pm »
Hello,
Yes I installed the new DC as an additional DC. Once I did that I did use the script provided to migrate the FSMO roles. I followed their two youtube videos on additional controller and transferring FSMO roles. I thought about using the rsync sysvol replication to get them over, but the issue now is, the old DC has been offline for so long, when I bring it up, workstations start authenticating against it and the credentials are all expired for everyone. So when I try things, I can only have the old one up for a few minutes before having to bring it back down. Also, I was looking and the domaindns and forestdns roles are still being held by the old controller, I can't get them to transfer either. Thought about seizing them but haven't tried. I did try resetting the SYSVOL permissions but that came back with an error too, so i restored to the snapshot from right before I did.

doncamilo

  • Zen Samurai
  • ****
  • Posts: 392
  • Karma: +112/-1
    • View Profile
Re: GPO Migration, access denied
« Reply #3 on: October 23, 2019, 10:51:21 am »
 :)

I would use the tar command to copy the sysvol folder with all their acl's, etc this way:

Code: [Select]
tar --acls -cpsvf sysvol.tar sysvol

Untar the sysvol.tar in your Zentyal and check it.

I suppose you know  this command:

Code: [Select]
samba-tool ntacl --help

Cheers!
"Tanta salud goces como bondad abrigues en tu corazón"

Don Camilo.

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

luke6283

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: GPO Migration, access denied
« Reply #4 on: October 31, 2019, 07:52:28 pm »
the only location I could find the sysvol was /var/lib/zentyal/tmp/samba.backup/
Is that the correct location? and is that the location I should restore to on the correct Zentyal machine?

luke6283

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: GPO Migration, access denied
« Reply #5 on: October 31, 2019, 08:13:46 pm »
Also when I untarred it, it gave me a "C}/User/Preferences/Files: Warning: Cannot acl_from_text" for every item

doncamilo

  • Zen Samurai
  • ****
  • Posts: 392
  • Karma: +112/-1
    • View Profile
Re: GPO Migration, access denied
« Reply #6 on: November 04, 2019, 05:14:03 pm »
the only location I could find the sysvol was /var/lib/zentyal/tmp/samba.backup/
Is that the correct location? and is that the location I should restore to on the correct Zentyal machine?

 :)

You have to tar the original /var/lib/samba/sysvol (if your old server is another Zentyal). The volume which stores the GPOs which you creates (in your old server. Take note that Samba doesn't replicates SYSVOL!). And you have to copy it into "/var/lib/samba" (it means you'll have  "/var/lib/samba/sysvol")

Cheers!
« Last Edit: November 04, 2019, 05:16:58 pm by doncamilo »
"Tanta salud goces como bondad abrigues en tu corazón"

Don Camilo.

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

luke6283

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: GPO Migration, access denied
« Reply #7 on: December 05, 2019, 07:07:35 pm »
I was finally able to get this resolved, I used the above to copy the SYSVOL directory and policies to the replacement controller. However had come up with some errors on the restore ACL. I then used the GETFACL on the original controller to make a backup of the permissions to a file, copied to new one and restored the permissions with the file. Then after that I had to use "samba-tool ntacl sysvolreset" after that, I was FINALLY able to do a gpupdate /force on the windows pc and GPOs are synching again