Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / Broken Sysvol Replication as Additional Domain Controler in Windows Environment
« on: August 14, 2014, 01:33:23 am »
disclaimer: There are many questions in this post, but the bolded ones are the main ones I need help with.
Synopsis:
In my workplace, I have implemented a Zentyal server as an additional domain controller. Following Zental-Samba 3.5.4, joining my domain FINALLY works. However, that being said, I am still having problems with my environment that seem to only be fixed by turning the Zentyal box off.
My only interest at this point is to use Zentyal as a Samba based file server. I'm running ACL's unmanaged in the /etc/zentyal/samba.conf file and it's working well for me. A day or two after installing and joining successfully to the domain, however, DC replication issues begin to surface. This wouldn't be a problem, except Zentyal seems to INSIST on being a global catalog (logon) server, which is not something I want. Especially if it cannot successfully replicate itself to windows based domain controllers. My two Win2k3 boxes both have errors on inbound replication from the Zentyal server. Error 8442 specifically on the DC=domain,DC=tld and on the CN=Configuration,DC=domain,DC=tld containers. I also get errors about schema mismatch.
What happens after this replication failure issue surfaces, is I start getting logon failures and computer trust issues across my network. People who ARE logged suddenly cannot access shares on the W2k3 boxes, other users get messages about "Trust account" not found for the workstation they are on. The computer account exists, but seems to have failed to replicate to Zentyal for whatever reason, even though, the replication shows as successful.
Questions:
Eventually, I may run nothing but Zentyal servers once my 2k3 boxes are out of support, but until then, What can I do to make Zentyal not answer logon requests? or Is there a magic cron job I can create to manually fix the sysvol replication and make the logons work?
Other Thoughts:
On a side note, why would Zentyal even talk about or recommend the possibility of Zentyal as an additional domain controller is Samba 4 does not yet support replication of the sysvol share, and why not disable being a logon server or a global catalog server until the replication issue is fixed upstream by the Samba folks? Why not incorporate options into the web interface to allow the user to check/uncheck "Make Zentyal a Global Catalog server" under AD join or LDAP options?
Or maybe I'm not fully understanding the problem? Because on the web interface, I can see group policy objects and links. Is it reading those locally, or from another domain controller. Why does computer/user authentication fail when computers bind to the Zentyal DC on startup? Is this also because of the failed replication or schema mismatch?
Synopsis:
In my workplace, I have implemented a Zentyal server as an additional domain controller. Following Zental-Samba 3.5.4, joining my domain FINALLY works. However, that being said, I am still having problems with my environment that seem to only be fixed by turning the Zentyal box off.
My only interest at this point is to use Zentyal as a Samba based file server. I'm running ACL's unmanaged in the /etc/zentyal/samba.conf file and it's working well for me. A day or two after installing and joining successfully to the domain, however, DC replication issues begin to surface. This wouldn't be a problem, except Zentyal seems to INSIST on being a global catalog (logon) server, which is not something I want. Especially if it cannot successfully replicate itself to windows based domain controllers. My two Win2k3 boxes both have errors on inbound replication from the Zentyal server. Error 8442 specifically on the DC=domain,DC=tld and on the CN=Configuration,DC=domain,DC=tld containers. I also get errors about schema mismatch.
What happens after this replication failure issue surfaces, is I start getting logon failures and computer trust issues across my network. People who ARE logged suddenly cannot access shares on the W2k3 boxes, other users get messages about "Trust account" not found for the workstation they are on. The computer account exists, but seems to have failed to replicate to Zentyal for whatever reason, even though, the replication shows as successful.
Questions:
Eventually, I may run nothing but Zentyal servers once my 2k3 boxes are out of support, but until then, What can I do to make Zentyal not answer logon requests? or Is there a magic cron job I can create to manually fix the sysvol replication and make the logons work?
Other Thoughts:
On a side note, why would Zentyal even talk about or recommend the possibility of Zentyal as an additional domain controller is Samba 4 does not yet support replication of the sysvol share, and why not disable being a logon server or a global catalog server until the replication issue is fixed upstream by the Samba folks? Why not incorporate options into the web interface to allow the user to check/uncheck "Make Zentyal a Global Catalog server" under AD join or LDAP options?
Or maybe I'm not fully understanding the problem? Because on the web interface, I can see group policy objects and links. Is it reading those locally, or from another domain controller. Why does computer/user authentication fail when computers bind to the Zentyal DC on startup? Is this also because of the failed replication or schema mismatch?
Pages: [1]