Understanding Group Policy on Windows 2008 r2 Server and forest trusts

We have 2 forests that trust each other.

One forest is datacenter.local and the other is headquarters.local.

At the data center we have 2 domain controllers, dc3.datacenter.local and dc1.datacenter.local. We also have another domain controller called dc2.datacenter.local at the headquarters office, so we have 3 domain controller in the datacenter.local domain which is also a forest.
At the headquarters office we have a domain (also a forest) called headquarters.local with 2 domain controllers, fs1.headquarters.local and fs2.headquarters.local.
Group Policy for datacenter.local is on dc3.datacenter.local which is also the PDC Emulator.  Group Policy for headquarters.local is on FS1.headquarters.local which is also the PDC Emulator.
Given this environment, how does Group Policy get applied?

This may or may not be an issue, but one of the things I'm seeing in the logs for one of my member servers in the datacenter.local doamin is that group policy is coming from dc2.datacenter.local, but shouldn't it be coming from dc3.datacenter.local (which is the PDCe) since that is were Group Policy has been set.
CreatedAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Group policies are AD objects, and like any AD object, they are replicated among *all* domain controllers. So it doesn't matter where you set or "apply" it, it will be on all DCs for that domain upon completion of replication.

As far as which DC an individual client will "get" a group policy from, it does so just like it determines which DC to authenticate against or get other services (published shares, printers, etc) which is a rather complex formula of nearest DC (can be controlled by the sites and services snap-in) and least cost calculations including slow-link detection.

So you can "set" a group policy on one DC, and a client at another site will get the same GP from another DC if it has replicated.

---

As an aside, forests and trusts have no bearing here. Group policies apply to domains or subtrees of the domain (OU, etc) so trusts have no factor.

-Cliff

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
Group policy is on all Domain Controllers. The PDC server is the authoratative server and has the final call if there is any discrepinces. Group policy gets replicated to all domain controllers similar to how sysvol and netlogon shares are replicated (not exactly but same idea). So if dc2 is a read/write DC then what you see is normal.

When you open gpmc.msc (group policy management console) by default it will attempt to connecto to the PDC first but you can simply change the DC gpmc is connecting to. This is completely normal.

PDC is authoratitive but read/write DC's also manage the load. Same with the Time Server PDC is the authoratative time source but the additional domain controllers also distribute the time as they get it from the PDC.

Will.
CreatedAuthor Commented:
Okay, if Group Policy in a Forest Trust is no different that in a regular domain setup, why am I seeing this when a user from the headquarters.local domain logs into the datacenter.local domain?

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be aquired from the User Configuration of these policies.
Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Brian PiercePhotographerCommented:
Group policies do not cross forest boundaries.
Will SzymkowskiSenior Solution ArchitectCommented:
That is correct. The PDC role is a Domain role not a Forest role which means it only applies to the individual domain and nothing else. Group Policy is total separated from each other at a domain level when policies are applied.

Will.
CreatedAuthor Commented:
Will this actually work?


Event ID:     1109     Source:      Microsoft-Windows-GroupPolicy

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be aquired from the User Configuration of these policies.

http://technet.microsoft.com/en-us/library/cc727296(v=ws.10).aspx

Resolve
•      Enable cross-forest user Group Policy processing
•      Open the Group Policy Management Console (GPMC).
•      Create a new Group Policy object (GPO) or select an existing one.
•      Edit the GPO and enable the following policy setting: AllowCross-Forest User Policy and Roaming User Profiles (located in Administrative Templates\System\Group Policy).
•      Log off and restart the computer.
Cliff GaliherCommented:
That *can* work depending on how you've set up the trust and authentication methods. Especially with selective authentication, things won't work how you expect or not at all.
Sandesh DubeyTechnical LeadCommented:
See below link will be helpful to fix the event error.

Event ID 1109 — Application of Group Policy
http://technet.microsoft.com/en-us/library/cc727296(v=ws.10).aspx

Deployment considerations for Group Policy
http://technet.microsoft.com/en-us/library/cc738810(WS.10).aspx

Loopback Replace does not work in cross forest environment
http://technet.microsoft.com/en-us/library/cc785691(WS.10).aspx

Regarding how client process GPO see this
http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/22/understanding-the-structure-of-a-group-policy-object-part-3.aspx
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.