Computer policy won't apply to computers that was added after update to 4.2er85

ucs-4-2
group-policy

#1

when trying gpupdate get this:
Updating policy…

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \ad.samdom\sysvol\ad.labiekoki.lv\Polic
ies{0A25CBCA-5ADB-48E5-9E98-2F5930B776E5}\gpt.ini from a domain controller and was not successful. Group Policy setting
s may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the
following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domai
n controller).
c) The Distributed File System (DFS) client has been disabled.

gpresult /r gives this:
Microsoft ® Windows ® Operating System Group Policy Result tool v2.0
© 2017 Microsoft Corporation. All rights reserved.

Created on ‎26.‎07.‎2017 at 15:30:35

RSOP data for AD\administrator on VM-SYS1 : Logging Mode

OS Configuration: Member Workstation
OS Version: 10.0.15063
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\administrator
Connected over a slow link?: No

COMPUTER SETTINGS

CN=vm-sys1,CN=Computers,DC=ad,DC=samdom
Last time Group Policy was applied: 26.07.2017 at 15:29:25
Group Policy was applied from:      lkdc2.ad.samdom
Group Policy slow link threshold:   500 kbps
Domain Name:                        **DESKTOP-C6739UR**
Domain Type:                        WindowsNT 4

Applied Group Policy Objects
-----------------------------
    N/A

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
    Local Group Policy
        Filtering:  Not Applied (Empty)

The computer is a part of the following security groups
-------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    NT AUTHORITY\Authenticated Users
    System Mandatory Level

it is not shoving correct Site Name: and Domain Name: DESKTOP-C6739UR is also wrong


#2
root@lkdc1:~# journalctl -xn
-- Logs begin at Sun 2017-07-23 21:40:46 EEST, end at Wed 2017-07-26 15:51:40 EEST. --
Jul 26 15:51:31 lkdc1 named[1621]: client 192.168.89.169#56220: update 'ad.samdom/IN' denied
Jul 26 15:51:31 lkdc1 named[1621]: samba_dlz: cancelling transaction on zone ad.samdom
Jul 26 15:51:31 lkdc1 named[1621]: samba_dlz: starting transaction on zone ad.samdom
Jul 26 15:51:31 lkdc1 named[1621]: samba_dlz: spnego update failed
Jul 26 15:51:31 lkdc1 named[1621]: client 192.168.89.169#61020/key VM-SYS1\$\@AD.samdom: updating zone 'ad.samdom/NONE': update failed: rejected by secure update (REFUSED)
Jul 26 15:51:31 lkdc1 named[1621]: samba_dlz: cancelling transaction on zone ad.samdom
Jul 26 15:51:40 lkdc1 named[1621]: samba_dlz: starting transaction on zone ad.samdom


#3

Please run the following commands as root on your DC Master (and any other server that works as an AD DC) and post their output here:

  1. getfacl '/var/lib/samba/sysvol/ad.labiekoki.lv/Policies/{0A25CBCA-5ADB-48E5-9E98-2F5930B776E5}/gpt.ini'
  2. samba-tool ntacl sysvolcheck

it is not shoving correct Site Name: and Domain Name: DESKTOP-C6739UR is also wrong

What do you mean by that? What would you expect?

Domain Type: WindowsNT 4

This looks fishy. Are you really not using an Active Directory domain!?


#4

I restored to 4-1 on dc backup from snapshot. and everything works again.
I have now DC Master on version 4.2-1 errata99 and DC Backup on 4.1-4 errata443

This is correct output of gpresult /r

PS H:\> gpresult /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2017 Microsoft Corporation. All rights reserved.

Created on ‎27.‎07.‎2017 at 14:08:23


RSOP data for AD\guntisr on VM-SYS1 : Logging Mode
---------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  10.0.15063
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\guntisr
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=vm-sys1,CN=Computers,DC=ad,DC=samdom
    Last time Group Policy was applied: 27.07.2017 at 13:14:23
    Group Policy was applied from:      lkdc2.samdom
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        AD
    Domain Type:                        Windows 2008 or later

I will try to update DC Backup again, see what happens.


#5

Before you update the DC Backup I highly suggest you re-join the DC Backup into the domain. ActiveDirectory controllers (both the Windows and the Samba kinds) do two-way synchronization between themselves. Therefore restoring machines from backup is a bit tricky as you must ensure that all AD controllers are restored at the same time. Otherwise you may very well run into inconsistencies in your domain data. Even if it seems to work now you run the risk of encountering issues down the road.

Re-joining won’t erase important data from the DC Backup; it will, however, retrieve fresh and up-to-date copies of the OpenLDAP, the Samba LDAP, all the GPOs, all certificates, Kerberos settings etc. from the DC Master. This ensures the AD controllers are in sync again.

Afterwards you can install UCS errata updates your DC Backup again.


#6

Yes, I forgot to mention that i had to do rejoin, it did not work without that.


#7

Ah, great. Then good luck with the updates.


#8

After upgrade it shows

The currently installed release version is 4.2-1 errata118.

but it also says that there is package updates, detailed info about update doesn’t have any information about this.
It wants to update thees packages

27 packages to be updated
python-univention 10.0.4-3A~4.2.0.201707200928
python-univention-appcenter 6.0.8-13A~4.2.0.201707121439
python-univention-connector-s4 11.0.8-3A~4.2.0.201707251634
python-univention-directory-manager 12.0.18-5A~4.2.0.201707251539
python-univention-directory-manager-cli 12.0.18-5A~4.2.0.201707251539
python-univention-directory-reports 9.0.1-3A~4.2.0.201706261433
python-univention-management-console 9.0.80-59A~4.2.0.201707241109
univention-appcenter 6.0.8-13A~4.2.0.201707121439
univention-appcenter-docker 6.0.8-13A~4.2.0.201707121439
univention-base-files 6.0.0-13A~4.2.0.201707031342
univention-base-packages 6.0.0-13A~4.2.0.201707031342
univention-directory-manager-tools 12.0.18-5A~4.2.0.201707251539
univention-directory-reports 9.0.1-3A~4.2.0.201706261433
univention-ldap-acl-master 13.0.7-12A~4.2.0.201706301337
univention-ldap-client 13.0.7-12A~4.2.0.201706301337
univention-ldap-config 13.0.7-12A~4.2.0.201706301337
univention-ldap-server 13.0.7-12A~4.2.0.201706301337
univention-management-console 9.0.80-59A~4.2.0.201707241109
univention-management-console-frontend 9.0.80-59A~4.2.0.201707241109
univention-management-console-login 9.0.80-59A~4.2.0.201707241109
univention-management-console-module-appcenter 6.0.8-13A~4.2.0.201707121439
univention-management-console-module-apps 6.0.8-13A~4.2.0.201707121439
univention-management-console-module-udm 7.0.10-18A~4.2.0.201707141049
univention-management-console-server 9.0.80-59A~4.2.0.201707241109
univention-management-console-web-server 9.0.80-59A~4.2.0.201707241109
univention-portal 1.0.12-3A~4.2.0.201706271227
univention-s4-connector 11.0.8-3A~4.2.0.201707251634
4 packages to be installed
python-pyasn1-modules 0.0.5-0.1
python-reportlab 3.1.8-3+deb8u1
python-reportlab-accel 3.1.8-3+deb8u1
python-trml2pdf 1.2-3A~4.2.0.201706211305

my DC Master is at same errata level, but it doesn’t have anything to update


#9

There are often package updates on top of the specific errata upgrades. Install all of them until univention-upgrade says that there’s nothing left to upgrade.