Univention UCS - AD Takeover - At least one GPO is still missing in SYSVOL

dns
ad-connection
samba-ad-dc
samba
linux
ucs-4-2
samba-ad

#1

Using Univention Corporate Server (UCS) and trying to takeover an Active Directory on a Windows Server 2008 R2

Following the guide:

https://docs.software-univention.de/manual-4.2.html#windows:adtakeover

Section: 9.4. Migrating an Active Directory domain to UCS using Univention AD Takeover

I set on my new UCS server, the same values as on the Windows Server 2008 R2 for the following parameters:

  • DNS domain name
  • NetBIOS domain name
  • Kerberos realm
  • LDAP base DN

I arrived to the point where I had to run the command:

> robocopy /mir /sec /z \\DLDC\sysvol \\ucsdc\sysvol

on the Windows Server 2008 R2 as Administrator.

The above command completed successfully with the following output:

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows                              
-------------------------------------------------------------------------------

  Started : Fri Sep 15 09:22:19 2017

   Source : \\DLDC\sysvol\
     Dest : \\ucsdc\sysvol\

    Files : *.*
	    
  Options : *.* /S /E /COPY:DATS /PURGE /MIR /Z /R:1000000 /W:30 

------------------------------------------------------------------------------

	                   1	\\DLDC\sysvol\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\DfsrPrivate\
	  New File  		      98	ConflictAndDeletedManifest.xml
  0%  
100%  
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\DfsrPrivate\ConflictAndDeleted\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\DfsrPrivate\Deleted\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\DfsrPrivate\Installing\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\
	  New File  		      27	GPT.INI
  0%  
100%  
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm\
	  New File  		   50768	wuau.adm
  0%  
100%  
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\
	  New File  		    5034	Registry.pol
  0%  
100%  
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Applications\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\
	  New File  		    1098	GptTmpl.inf
  0%  
100%  
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\Shutdown\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\Startup\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Applications\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Documents & Settings\
	  New Dir          2	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Scripts\
	  New File  		       6	psscripts.ini
  0%  
100%  
	  New File  		     212	scripts.ini
  0%  
100%  
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Scripts\Logoff\
	  New Dir          2	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Scripts\Logon\
	  New File  		      62	default-drives-map.bat
  0%  
100%  
	  New File  		     144	home-directory-map.vbs
  0%  
100%  
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\
	  New File  		      23	GPT.INI
  0%  
100%  
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\
	  New File  		       8	Registry.pol
  0%  
100%  
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Applications\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\
	  New File  		    3552	GptTmpl.inf
  0%  
100%  
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Scripts\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Scripts\Shutdown\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Scripts\Startup\
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\USER\
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{A99FB5BE-989E-407D-81C2-8E0563980EDE}\
	  New File  		      84	GPT.INI
  0%  
100%  
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{A99FB5BE-989E-407D-81C2-8E0563980EDE}\Machine\
	  New File  		    8734	Registry.pol
  0%  
100%  
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{A99FB5BE-989E-407D-81C2-8E0563980EDE}\User\
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{CAD2E82F-9501-4507-8676-ACCF1DEB9820}\
	  New File  		     116	GPT.INI
  0%  
100%  
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{CAD2E82F-9501-4507-8676-ACCF1DEB9820}\Machine\
	  New File  		    9466	Registry.pol
  0%  
100%  
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{CAD2E82F-9501-4507-8676-ACCF1DEB9820}\User\
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{FC6F93DA-46C2-4DE4-8FF3-F3994E796F9F}\
	  New File  		      81	GPT.INI
  0%  
100%  
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{FC6F93DA-46C2-4DE4-8FF3-F3994E796F9F}\Machine\
	  New File  		    7737	Registry.pol
  0%  
100%  
	  New Dir          0	\\DLDC\sysvol\MYDOMAIN.intranet\Policies\{FC6F93DA-46C2-4DE4-8FF3-F3994E796F9F}\User\
	  New Dir          1	\\DLDC\sysvol\MYDOMAIN.intranet\scripts\
	  New File  		    6148	.DS_Store
  0%  
 99%  

------------------------------------------------------------------------------

               Total    Copied   Skipped  Mismatch    FAILED    Extras
    Dirs :        43        42         1         0         0         0
   Files :        20        19         1         0         0         0
   Bytes :    97.2 k    91.2 k     6.0 k         0         0         0
   Times :   0:00:02   0:00:00                       0:00:00   0:00:01


   Speed :              125198 Bytes/sec.
   Speed :               7.163 MegaBytes/min.

   Ended : Fri Sep 15 09:22:21 2017

Then I clicked the button Next but I got the following error:

"Could not fulfill the request. Server error message: At least one GPO is still missing in SYSVOL."

As you can see below:

enter image description here

On the Univention log: /var/log/univention/ad-takeover.log I got the following:

2017-09-14 21:19:24,268 GPO missing in SYSVOL: {31B2F340-016D-11D2-945F-00C04FB984F9}
2017-09-14 21:19:24,268 At least one GPO is still missing in SYSVOL.

Then, by recommendation of the following url:

http:// www.tecmint.com/samba4-ad-dc-sysvol-replication/

I tried the following commands:

# samba-tool ntacl sysvolcheck # first check
# samba-tool ntacl sysvolreset # the reset
# samba-tool ntacl sysvolcheck # second check

Where the first check got errors, but the second check had no errors.

These were the errors:

root@ucsdc:~# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on sysvol directory /var/lib/samba/sysvol/mydomain.intranet O:LAG:SYD:AI(A;OICIID;0x001200a9;;;AU)(A;OICIID;0x001200a9;;;SO)(A;OICIID;0x001e01bf;;;BA)(A;OICIID;0x001f01ff;;;SY)(A;ID;0x001e01bf;;;LA)(A;OICIIOID;0x001e01bf;;;CO) does not match expected value O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) from provision
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1737, in checksysvolacl
    raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))

Before the reset I had:

root@ucsdc:/var/lib/samba/sysvol/mydomain.intranet/Policies# ls -la
total 56
drwxrwx---+ 7 Administrator System        4096 Sep 14 20:54 .
drwxrwx---+ 5 Administrator System        4096 Sep 14 21:00 ..
drwxrwx---+ 5 Administrator System        4096 Sep 14 20:54 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 Administrator System        4096 Sep 14 20:54 {6AC1786C-016F-11D2-945F-00C04fB984F9}
drwxrwx---+ 4 Administrator Domain Admins 4096 Sep 14 20:54 {A99FB5BE-989E-407D-81C2-8E0563980EDE}
drwxrwx---+ 4 Administrator Domain Admins 4096 Sep 14 20:54 {CAD2E82F-9501-4507-8676-ACCF1DEB9820}
drwxrwx---+ 4 Administrator Domain Admins 4096 Sep 14 20:54 {FC6F93DA-46C2-4DE4-8FF3-F3994E796F9F}

After reset:

root@ucsdc:~# ls -la /var/lib/samba/sysvol/mydomain.intranet/Policies/
total 56
drwxrwx---+ 7 Administrator Administrators 4096 Sep 14 21:18 .
drwxrwx---+ 5 Administrator Administrators 4096 Sep 14 21:18 ..
drwxrwx---+ 5 Administrator Domain Admins  4096 Sep 14 21:18 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 Administrator Domain Admins  4096 Sep 14 21:18 {6AC1786C-016F-11D2-945F-00C04fB984F9}
drwxrwx---+ 4 Administrator Domain Admins  4096 Sep 14 21:18 {A99FB5BE-989E-407D-81C2-8E0563980EDE}
drwxrwx---+ 4 Administrator Domain Admins  4096 Sep 14 21:18 {CAD2E82F-9501-4507-8676-ACCF1DEB9820}
drwxrwx---+ 4 Administrator Domain Admins  4096 Sep 14 21:18 {FC6F93DA-46C2-4DE4-8FF3-F3994E796F9F}

Any idea on how to troubleshoot this?


Univention UCS 4.2 - Failed 'Active Directory Takeover' process - Troubleshooting
Univention UCS 4.2 - Failed 'Active Directory Takeover' process - Troubleshooting
Univention UCS 4.2 - Failed 'Active Directory Takeover' process - Troubleshooting
#2

any help here?, thanks


#3

I’m currently looking at the code for the AD takeover module at the point where this error message (“GPO missing in sysvol”) is generated. It looks for a directory whose path consists of the following components:

  1. The base directory /var/lib/samba/sysvol
  2. The domain-specific directory as read from the Samba configuration
  3. The sub-directory Policies
  4. The GPO’s unique ID

Your base path looks good in the output of ls, as does the Policies sub-directory. So 1 and 3 are out. The unique ID is the same in your log file and the content of the ls output; the browser’s search function confirms this. This rules out 4 as the culprit.

That leaves us with 3.

I guess it’s possible that the directory’s case and the DNS name’s case is different. You’ve replaced the actual domain name with mydomain.intranet, therefore it’s hard for me to tell, but in the robocopy output the domain name is upper-case which leads me to that theory.

Can you please compare the case in the output of ldbsearch -H /var/lib/samba/private/sam.ldb | grep '^dn:' | head and the directory in /var/lib/samba/private? For example, on my test system ldbsearch outputs this:

dn: CN=MicrosoftDNS,CN=System,DC=mbu-test,DC=intranet
dn: CN=ipsecNFA{7238523E-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=mbu-test,DC=intranet
…

And from DC=mbu-test,DC=intranet I’d infer that the directory name must be the all lower-case mbu-test.intranet.


#4

Hi Moritz, I did a mistake on initial post just when writing the post. During writing it I should write MYDOMAIN.intranet with MYDOMAIN uppercase since it is like that how it is on my system. I did this error because I did a replace of my lab domain internet name to: mydomain (just for a bit of privacy) but this error was just in the post.

I think we should fix this somehow so we don’t confuse other people. Maybe I change: mydomain.intranet for MYDOMAIN.intranet but then your answer won’t apply :frowning:, but maybe is the better, I don’t know.

Anyway I have a very good news. After this long time, and without doing any modification on the UCS 4.2 system, after clicking Next on figure: 9.12

https://docs.software-univention.de/manual-4.2.html#windows:ad:sysvol

I could arrive to figure: 9.13.

I have no idea how before the process didn’t go thru and now it did it.

Other thing I have to say is I tried the following command on UCS 4.2:

# samba-tool ntacl sysvolcheck

and got the following output:

ERROR(<type 'exceptions.TypeError'>): uncaught exception - (2, 'No such file or directory')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1732, in checksysvolacl
    fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
  File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 81, in getntacl
    xattr.XATTR_NTACL_NAME)

again, I didn’t touch this UCS 4.2 system (Virtual Box - Virtual Machine) anymore since the day of my initial post.

Moritz, do you want me to fix my initial post before continue with all this?, just to don’t confuse others?


#5

My own experience with samba-tool ntacl sysvolcheck has been mixed at best. sysvolreset does work nicely, but sysvolcheck almost always errors out for me, too.

Hmmmm… nah. Let’s leave it as it is.

However, I’m somewhat confused now: ignoring the sysvolcheck error, at which point exactly are you stuck at the moment?


#6

Ignoring that error I think I’m not stuck, but I didn’t have a chance on the lab yet, to continue beyond “Figure 9.13. Shutdown of the AD server(s)” https://docs.software-univention.de/manual-4.2.html because other reasons apart all this. Probably on the next 2 days I’m gonna have a chance to do it and them I’m gonna post my experience here because maybe it helps others.


#7

I don’t know why some of my previous comments were flagged as spam?
Also, on my previous post I tried to put a direct link to Figure 9.13 and I got an error saying something like I can not point to that host, being the host: “docs.software-univention.de”. Then I had to remove from the url the anchor: #windows:ad:takeover2 and it worked.


#8

Interesting… though I cannot really comment on issues with the forum software, I’m afraid.

Good luck with the tests. If you run into additional problems don’t hesitate to post here (preferably in a new topic unless it’s about missing GPOs again; let’s keep the topics focused on a single issue).