Link to home
Start Free TrialLog in
Avatar of Created
CreatedFlag for United States of America

asked on

Understanding Group Policy on Windows 2008 r2 Server and forest trusts

We have 2 forests that trust each other.

One forest is datacenter.local and the other is headquarters.local.

At the data center we have 2 domain controllers, dc3.datacenter.local and dc1.datacenter.local. We also have another domain controller called dc2.datacenter.local at the headquarters office, so we have 3 domain controller in the datacenter.local domain which is also a forest.
At the headquarters office we have a domain (also a forest) called headquarters.local with 2 domain controllers, fs1.headquarters.local and fs2.headquarters.local.
Group Policy for datacenter.local is on dc3.datacenter.local which is also the PDC Emulator.  Group Policy for headquarters.local is on FS1.headquarters.local which is also the PDC Emulator.
Given this environment, how does Group Policy get applied?

This may or may not be an issue, but one of the things I'm seeing in the logs for one of my member servers in the datacenter.local doamin is that group policy is coming from dc2.datacenter.local, but shouldn't it be coming from dc3.datacenter.local (which is the PDCe) since that is were Group Policy has been set.
ASKER CERTIFIED SOLUTION
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Created

ASKER

Okay, if Group Policy in a Forest Trust is no different that in a regular domain setup, why am I seeing this when a user from the headquarters.local domain logs into the datacenter.local domain?

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be aquired from the User Configuration of these policies.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Created

ASKER

Will this actually work?


Event ID:     1109     Source:      Microsoft-Windows-GroupPolicy

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be aquired from the User Configuration of these policies.

http://technet.microsoft.com/en-us/library/cc727296(v=ws.10).aspx

Resolve
•      Enable cross-forest user Group Policy processing
•      Open the Group Policy Management Console (GPMC).
•      Create a new Group Policy object (GPO) or select an existing one.
•      Edit the GPO and enable the following policy setting: AllowCross-Forest User Policy and Roaming User Profiles (located in Administrative Templates\System\Group Policy).
•      Log off and restart the computer.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial