Univention UCS - AD Takeover - SYSVOL に 1 つ以上の GPO がまだありません。

Univention UCS - AD Takeover - SYSVOL に 1 つ以上の GPO がまだありません。

Univention Corporate Server (UCS)以下でActive Directoryを使用して取得してみてください。Windows Server 2008 R2

次のガイドラインに従ってください。

https://docs.software-univention.de/manual-4.2.html#windows:adtakeover

部分:9.4. Migrating an Active Directory domain to UCS using Univention AD Takeover

UCS新しいサーバーで、次のパラメーターと同じ値を設定しました。Windows Server 2008 R2

  • DNSドメイン名
  • NetBIOSドメイン名
  • Kerberosゾーン
  • LDAP 基本 DN

次のコマンドを実行する必要があるポイントに達しました。

> robocopy /mir /sec /z \\DLDC\sysvol \\ucsdc\sysvol

Windows Server 2008 R2管理者として。

上記のコマンドは正常に完了し、出力は次のようになります。

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows                              
-------------------------------------------------------------------------------

  Started : Fri Sep 15 09:22:19 2017

   Source : \\DLDC\sysvol\
     Dest : \\ucsdc\sysvol\

    Files : *.*

  Options : *.* /S /E /COPY:DATS /PURGE /MIR /Z /R:1000000 /W:30 

------------------------------------------------------------------------------

                       1    \\DLDC\sysvol\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\DfsrPrivate\
      New File                98    ConflictAndDeletedManifest.xml
  0%  
100%  
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\DfsrPrivate\ConflictAndDeleted\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\DfsrPrivate\Deleted\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\DfsrPrivate\Installing\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\
      New File                27    GPT.INI
  0%  
100%  
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm\
      New File             50768    wuau.adm
  0%  
100%  
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\
      New File              5034    Registry.pol
  0%  
100%  
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Applications\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\
      New File              1098    GptTmpl.inf
  0%  
100%  
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\Shutdown\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\Startup\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Applications\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Documents & Settings\
      New Dir          2    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Scripts\
      New File                 6    psscripts.ini
  0%  
100%  
      New File               212    scripts.ini
  0%  
100%  
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Scripts\Logoff\
      New Dir          2    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Scripts\Logon\
      New File                62    default-drives-map.bat
  0%  
100%  
      New File               144    home-directory-map.vbs
  0%  
100%  
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\
      New File                23    GPT.INI
  0%  
100%  
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\
      New File                 8    Registry.pol
  0%  
100%  
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Applications\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\
      New File              3552    GptTmpl.inf
  0%  
100%  
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Scripts\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Scripts\Shutdown\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Scripts\Startup\
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\USER\
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{A99FB5BE-989E-407D-81C2-8E0563980EDE}\
      New File                84    GPT.INI
  0%  
100%  
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{A99FB5BE-989E-407D-81C2-8E0563980EDE}\Machine\
      New File              8734    Registry.pol
  0%  
100%  
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{A99FB5BE-989E-407D-81C2-8E0563980EDE}\User\
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{CAD2E82F-9501-4507-8676-ACCF1DEB9820}\
      New File               116    GPT.INI
  0%  
100%  
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{CAD2E82F-9501-4507-8676-ACCF1DEB9820}\Machine\
      New File              9466    Registry.pol
  0%  
100%  
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{CAD2E82F-9501-4507-8676-ACCF1DEB9820}\User\
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{FC6F93DA-46C2-4DE4-8FF3-F3994E796F9F}\
      New File                81    GPT.INI
  0%  
100%  
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{FC6F93DA-46C2-4DE4-8FF3-F3994E796F9F}\Machine\
      New File              7737    Registry.pol
  0%  
100%  
      New Dir          0    \\DLDC\sysvol\MYDOMAIN.intranet\Policies\{FC6F93DA-46C2-4DE4-8FF3-F3994E796F9F}\User\
      New Dir          1    \\DLDC\sysvol\MYDOMAIN.intranet\scripts\
      New File              6148    .DS_Store
  0%  
 99%  

------------------------------------------------------------------------------

               Total    Copied   Skipped  Mismatch    FAILED    Extras
    Dirs :        43        42         1         0         0         0
   Files :        20        19         1         0         0         0
   Bytes :    97.2 k    91.2 k     6.0 k         0         0         0
   Times :   0:00:02   0:00:00                       0:00:00   0:00:01


   Speed :              125198 Bytes/sec.
   Speed :               7.163 MegaBytes/min.

   Ended : Fri Sep 15 09:22:21 2017

次に「次へ」ボタンをクリックしましたが、次のエラーが発生します。

"Could not fulfill the request. Server error message: At least one GPO is still missing in SYSVOL."

次のように:

ここに画像の説明を入力してください。

Univention ログから/var/log/univention/ad-takeover.log以下を取得します。

2017-09-14 21:19:24,268 GPO missing in SYSVOL: {31B2F340-016D-11D2-945F-00C04FB984F9}
2017-09-14 21:19:24,268 At least one GPO is still missing in SYSVOL.

次に、次のURLの推奨事項を介して:

http://www.tecmint.com/samba4-ad-dc-sysvol-replication/

次のコマンドを試しました。

# samba-tool ntacl sysvolcheck # first check
# samba-tool ntacl sysvolreset # the reset
# samba-tool ntacl sysvolcheck # second check

最初の検査にはエラーがありますが、2番目の検査にはエラーはありません。

エラーは次のとおりです。

root@ucsdc:~# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on sysvol directory /var/lib/samba/sysvol/mydomain.intranet O:LAG:SYD:AI(A;OICIID;0x001200a9;;;AU)(A;OICIID;0x001200a9;;;SO)(A;OICIID;0x001e01bf;;;BA)(A;OICIID;0x001f01ff;;;SY)(A;ID;0x001e01bf;;;LA)(A;OICIIOID;0x001e01bf;;;CO) does not match expected value O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) from provision
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1737, in checksysvolacl
    raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))

リセットする前に、私は次のことをしました。

root@ucsdc:/var/lib/samba/sysvol/mydomain.intranet/Policies# ls -la
total 56
drwxrwx---+ 7 Administrator System        4096 Sep 14 20:54 .
drwxrwx---+ 5 Administrator System        4096 Sep 14 21:00 ..
drwxrwx---+ 5 Administrator System        4096 Sep 14 20:54 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 Administrator System        4096 Sep 14 20:54 {6AC1786C-016F-11D2-945F-00C04fB984F9}
drwxrwx---+ 4 Administrator Domain Admins 4096 Sep 14 20:54 {A99FB5BE-989E-407D-81C2-8E0563980EDE}
drwxrwx---+ 4 Administrator Domain Admins 4096 Sep 14 20:54 {CAD2E82F-9501-4507-8676-ACCF1DEB9820}
drwxrwx---+ 4 Administrator Domain Admins 4096 Sep 14 20:54 {FC6F93DA-46C2-4DE4-8FF3-F3994E796F9F}

リセット後:

root@ucsdc:~# ls -la /var/lib/samba/sysvol/mydomain.intranet/Policies/
total 56
drwxrwx---+ 7 Administrator Administrators 4096 Sep 14 21:18 .
drwxrwx---+ 5 Administrator Administrators 4096 Sep 14 21:18 ..
drwxrwx---+ 5 Administrator Domain Admins  4096 Sep 14 21:18 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 Administrator Domain Admins  4096 Sep 14 21:18 {6AC1786C-016F-11D2-945F-00C04fB984F9}
drwxrwx---+ 4 Administrator Domain Admins  4096 Sep 14 21:18 {A99FB5BE-989E-407D-81C2-8E0563980EDE}
drwxrwx---+ 4 Administrator Domain Admins  4096 Sep 14 21:18 {CAD2E82F-9501-4507-8676-ACCF1DEB9820}
drwxrwx---+ 4 Administrator Domain Admins  4096 Sep 14 21:18 {FC6F93DA-46C2-4DE4-8FF3-F3994E796F9F}

この問題を解決する方法を知っていますか?

関連情報