Solved

Understanding Group Policy on Windows 2008 r2 Server and forest trusts

Posted on 2014-01-03
8
1,990 Views
Last Modified: 2014-01-08
We have 2 forests that trust each other.

One forest is datacenter.local and the other is headquarters.local.

At the data center we have 2 domain controllers, dc3.datacenter.local and dc1.datacenter.local. We also have another domain controller called dc2.datacenter.local at the headquarters office, so we have 3 domain controller in the datacenter.local domain which is also a forest.
At the headquarters office we have a domain (also a forest) called headquarters.local with 2 domain controllers, fs1.headquarters.local and fs2.headquarters.local.
Group Policy for datacenter.local is on dc3.datacenter.local which is also the PDC Emulator.  Group Policy for headquarters.local is on FS1.headquarters.local which is also the PDC Emulator.
Given this environment, how does Group Policy get applied?

This may or may not be an issue, but one of the things I'm seeing in the logs for one of my member servers in the datacenter.local doamin is that group policy is coming from dc2.datacenter.local, but shouldn't it be coming from dc3.datacenter.local (which is the PDCe) since that is were Group Policy has been set.
0
Comment
Question by:Created
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 167 total points
ID: 39755285
Group policies are AD objects, and like any AD object, they are replicated among *all* domain controllers. So it doesn't matter where you set or "apply" it, it will be on all DCs for that domain upon completion of replication.

As far as which DC an individual client will "get" a group policy from, it does so just like it determines which DC to authenticate against or get other services (published shares, printers, etc) which is a rather complex formula of nearest DC (can be controlled by the sites and services snap-in) and least cost calculations including slow-link detection.

So you can "set" a group policy on one DC, and a client at another site will get the same GP from another DC if it has replicated.

---

As an aside, forests and trusts have no bearing here. Group policies apply to domains or subtrees of the domain (OU, etc) so trusts have no factor.

-Cliff
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 167 total points
ID: 39755293
Group policy is on all Domain Controllers. The PDC server is the authoratative server and has the final call if there is any discrepinces. Group policy gets replicated to all domain controllers similar to how sysvol and netlogon shares are replicated (not exactly but same idea). So if dc2 is a read/write DC then what you see is normal.

When you open gpmc.msc (group policy management console) by default it will attempt to connecto to the PDC first but you can simply change the DC gpmc is connecting to. This is completely normal.

PDC is authoratitive but read/write DC's also manage the load. Same with the Time Server PDC is the authoratative time source but the additional domain controllers also distribute the time as they get it from the PDC.

Will.
0
 

Author Comment

by:Created
ID: 39755349
Okay, if Group Policy in a Forest Trust is no different that in a regular domain setup, why am I seeing this when a user from the headquarters.local domain logs into the datacenter.local domain?

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be aquired from the User Configuration of these policies.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 83 total points
ID: 39755374
Group policies do not cross forest boundaries.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 167 total points
ID: 39755376
That is correct. The PDC role is a Domain role not a Forest role which means it only applies to the individual domain and nothing else. Group Policy is total separated from each other at a domain level when policies are applied.

Will.
0
 

Author Comment

by:Created
ID: 39755381
Will this actually work?


Event ID:     1109     Source:      Microsoft-Windows-GroupPolicy

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be aquired from the User Configuration of these policies.

http://technet.microsoft.com/en-us/library/cc727296(v=ws.10).aspx

Resolve
•      Enable cross-forest user Group Policy processing
•      Open the Group Policy Management Console (GPMC).
•      Create a new Group Policy object (GPO) or select an existing one.
•      Edit the GPO and enable the following policy setting: AllowCross-Forest User Policy and Roaming User Profiles (located in Administrative Templates\System\Group Policy).
•      Log off and restart the computer.
0
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 167 total points
ID: 39755399
That *can* work depending on how you've set up the trust and authentication methods. Especially with selective authentication, things won't work how you expect or not at all.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 83 total points
ID: 39755783
See below link will be helpful to fix the event error.

Event ID 1109 — Application of Group Policy
http://technet.microsoft.com/en-us/library/cc727296(v=ws.10).aspx

Deployment considerations for Group Policy
http://technet.microsoft.com/en-us/library/cc738810(WS.10).aspx

Loopback Replace does not work in cross forest environment
http://technet.microsoft.com/en-us/library/cc785691(WS.10).aspx

Regarding how client process GPO see this
http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/22/understanding-the-structure-of-a-group-policy-object-part-3.aspx
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question