Zentyal Forum, Linux Small Business Server

Zentyal Server => Directory and Authentication => Topic started by: Lexa6283 on October 21, 2019, 05:29:47 pm

Title: [SOLVED] GPO Migration, access denied
Post by: Lexa6283 on October 21, 2019, 05:29:47 pm
Hello,
I created a new Zentyal server and went throught the process to make it the primary zentyal server. I transferred the FSMO roles as well. When I try to restore the backup of the GPOs in the GPO Console, it is telling me access denied on the new server. Please help!!
Title: Re: GPO Migration, access denied
Post by: doncamilo on October 22, 2019, 02:03:54 pm
 :)

Did you install Zentyal as additional domain controller, isn't it? How did you promote Zentyal? Did you use the script provided by Zentyal?

Besides note that Samba4 doesn't replicates the SYSVOL. The samba4 guys recommends this workaround https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround (https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround)

I'll need some more information in order to help you in a more concrete way.

Cheers!
Title: Re: GPO Migration, access denied
Post by: Lexa6283 on October 22, 2019, 08:11:51 pm
Hello,
Yes I installed the new DC as an additional DC. Once I did that I did use the script provided to migrate the FSMO roles. I followed their two youtube videos on additional controller and transferring FSMO roles. I thought about using the rsync sysvol replication to get them over, but the issue now is, the old DC has been offline for so long, when I bring it up, workstations start authenticating against it and the credentials are all expired for everyone. So when I try things, I can only have the old one up for a few minutes before having to bring it back down. Also, I was looking and the domaindns and forestdns roles are still being held by the old controller, I can't get them to transfer either. Thought about seizing them but haven't tried. I did try resetting the SYSVOL permissions but that came back with an error too, so i restored to the snapshot from right before I did.
Title: Re: GPO Migration, access denied
Post by: doncamilo on October 23, 2019, 10:51:21 am
 :)

I would use the tar command to copy the sysvol folder with all their acl's, etc this way:

Code: [Select]
tar --acls -cpsvf sysvol.tar sysvol

Untar the sysvol.tar in your Zentyal and check it.

I suppose you know  this command:

Code: [Select]
samba-tool ntacl --help

Cheers!
Title: Re: GPO Migration, access denied
Post by: Lexa6283 on October 31, 2019, 07:52:28 pm
the only location I could find the sysvol was /var/lib/zentyal/tmp/samba.backup/
Is that the correct location? and is that the location I should restore to on the correct Zentyal machine?
Title: Re: GPO Migration, access denied
Post by: Lexa6283 on October 31, 2019, 08:13:46 pm
Also when I untarred it, it gave me a "C}/User/Preferences/Files: Warning: Cannot acl_from_text" for every item
Title: Re: GPO Migration, access denied
Post by: doncamilo on November 04, 2019, 05:14:03 pm
the only location I could find the sysvol was /var/lib/zentyal/tmp/samba.backup/
Is that the correct location? and is that the location I should restore to on the correct Zentyal machine?

 :)

You have to tar the original /var/lib/samba/sysvol (if your old server is another Zentyal). The volume which stores the GPOs which you creates (in your old server. Take note that Samba doesn't replicates SYSVOL!). And you have to copy it into "/var/lib/samba" (it means you'll have  "/var/lib/samba/sysvol")

Cheers!
Title: Re: GPO Migration, access denied
Post by: Lexa6283 on December 05, 2019, 07:07:35 pm
I was finally able to get this resolved, I used the above to copy the SYSVOL directory and policies to the replacement controller. However had come up with some errors on the restore ACL. I then used the GETFACL on the original controller to make a backup of the permissions to a file, copied to new one and restored the permissions with the file. Then after that I had to use "samba-tool ntacl sysvolreset" after that, I was FINALLY able to do a gpupdate /force on the windows pc and GPOs are synching again