Group Policies fail to apply on Windows 10 and Windows 2012 R2 machines joined to DSfW domain

  • 7018195
  • 27-Oct-2016
  • 14-Jul-2017

Environment

Novell Open Enterprise Server 2015 (OES 2015) Linux Support Pack 1
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 3
Domain Services for Windows
DSfW

Situation

Joined Windows 10 to the DSfW domain.
The GPOs are not applied when user logs in to the domain or when gpupdate is run on the command prompt.
Joined Windows 2012 R2 the DSfW domain.
The GPOs are not applied when the user logs in to the domain or when the gpupdate command is run on the command prompt,when the DFS link for the SYSVOL share points to an additional domain controller.

Resolution

Besides applying the October 2016 OES hot patch for DSfW on the DSfW servers the following manual steps have to be executed:
  1. Ensure that no principals are obtained in keytab using the command #klist -k | grep -i "cifs/`hostname --fqdn`/`hostname -d`"
  2. Add the required principals to keytab in all Domain Controllers of the domain using the command  #setpassword -NDSOf -r -u <server name(output of command 'hostname')>$ -E "<domain fqdn(output of command 'hostname --fqdn')>/<domainname(output of the command 'hostname -d')>,<domain fqdn with hostname in all CAPS>/<domainname>,<domain fqdn with domainname in all CAPS>/<domainname in all CAPS)>,<domain fqdn with hostname and domainname in all CAPS>/<domainname in all CAPS)>,<domain fqdn with hostname and domainname in all small>/<domainname in all small)>" -k /var/opt/novell/xad/ds/krb5kdc/krb5.keytab
    The input for the parameter of -E option "<domain fqdn with hostname and domainname in all small>/<domainname in all small)>" is required only if the hostname is in mixed case.
  3. Reload all the DSFW services on all the Domain Controllers using the command #xadcntrl reload
  4. Verify that the required principals are added to keytab using the command #klist -k | grep -i "cifs/`hostname --fqdn`/`hostname -d`"
  5. Create a soft link in the primary domain controller using the command (Make sure that you are in /var/opt/novell/xad/sysvol/sysvol when creating the link) server:/var/opt/novell/xad/sysvol/sysvol # ln -s <domain_name>/Policies/ Policies
  6. Run the command #sysvolsync in the primary domain controller.
  7. Restart the workstations joined to the domain.
    The setpassword command that will be run on domain controllers will enable gpupdate command to work on Windows10 workstations and Windows 2012 R2 and  member servers. This will however work only if we reboot the workstations, because the newly auto-generated server password is downloaded to the client workstation only after the reboot.(Even logoff-login does not download the new password).
    The reboot is not only needed for Windows10 and Windows 2012 R2 , but also for existing Windows7 or equivalent member server workstations joined to the domain. After running setpassword command, the server password cached in these systems becomes obsolete, and therefore it requires reboot to download the new password.

Cause

The sysvol access in Windows 10 and Windows 2012 R2 servers using domain name requires additional CIFS service principal names in the kerberos keytab file.

Additional Information

We have the following script available to automate the above steps. Save this script in a file on the DC and call it fixspn.sh , then make it executable with chmod +x fixspn.sh and execute it with ./fixspn.sh 

#!/bin/bash

#Get FDQN and hostname
hostnamefqdn=`hostname --fqdn`
domainonly=`hostname -d`
hostnameonly=`hostname`

#Make Uppercase

HOSTNAMEFQDN=`echo $hostnamefqdn | awk '{print toupper($0)}'`
DOMAINONLY=`echo $domainonly | awk '{print toupper($0)}'`
HOSTNAMEONLY=`echo $hostnameonly | awk '{print toupper($0)}'`

#Check for existance of krb5.keytab

if [ ! -f /var/opt/novell/xad/ds/krb5kdc/krb5.keytab ]; then

                #We will now generate the new keytab

                echo "We will now run this to generate the new keytab file:"
                echo "setpassword -NDSOf -r -u $HOSTNAMEONLY\$ -E $hostnamefqdn/$domainonly,$HOSTNAMEFQDN/$DOMAINONLY,$hostnameonly.$DOMAINONLY/$DOMAINONLY,$HOSTNAMEONLY.$domainonly/$domainonly -k /var/opt/novell/xad/ds/krb5kdc/krb5.keytab"
                setpassword -NDSOf -r -u $HOSTNAMEONLY\$ -E $hostnamefqdn/$domainonly,$HOSTNAMEFQDN/$DOMAINONLY,$hostnameonly.$DOMAINONLY/$DOMAINONLY,$HOSTNAMEONLY.$domainonly/$domainonly -k /var/opt/novell/xad/ds/krb5kdc/krb5.keytab

                #Set permissions and ownership on new keytab

                chmod 640 /var/opt/novell/xad/ds/krb5kdc/krb5.keytab
                chown root:named /var/opt/novell/xad/ds/krb5kdc/krb5.keytab
        else
                echo "/var/opt/novell/xad/ds/krb5kdc/krb5.keytab file detected. We will rename this file to krb5.keytab.orig."
                mv /var/opt/novell/xad/ds/krb5kdc/krb5.keytab /var/opt/novell/xad/ds/krb5kdc/krb5.keytab.orig
                ./fixspn.sh

#Check and create Policies link for sysvol

if [ ! -d /var/opt/novell/xad/sysvol/sysvol/Policies ]; then
                echo "Fixing sysvol link"
                cd /var/opt/novell/xad/sysvol/sysvol/
                ln -s $domainonly/Policies
                chown -R administrator:"domain admins" Policies
                echo "Please run xadcntrl reload and then sysvolsync"
        else
                echo "Please run xadcntrl reload"
fi
fi

Feedback service temporarily unavailable. For content questions or problems, please contact Support.