Solved

Understanding Group Policy on Windows 2008 r2 Server and forest trusts

Posted on 2014-01-03
8
1,807 Views
Last Modified: 2014-01-08
We have 2 forests that trust each other.

One forest is datacenter.local and the other is headquarters.local.

At the data center we have 2 domain controllers, dc3.datacenter.local and dc1.datacenter.local. We also have another domain controller called dc2.datacenter.local at the headquarters office, so we have 3 domain controller in the datacenter.local domain which is also a forest.
At the headquarters office we have a domain (also a forest) called headquarters.local with 2 domain controllers, fs1.headquarters.local and fs2.headquarters.local.
Group Policy for datacenter.local is on dc3.datacenter.local which is also the PDC Emulator.  Group Policy for headquarters.local is on FS1.headquarters.local which is also the PDC Emulator.
Given this environment, how does Group Policy get applied?

This may or may not be an issue, but one of the things I'm seeing in the logs for one of my member servers in the datacenter.local doamin is that group policy is coming from dc2.datacenter.local, but shouldn't it be coming from dc3.datacenter.local (which is the PDCe) since that is were Group Policy has been set.
0
Comment
Question by:Created
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 167 total points
Comment Utility
Group policies are AD objects, and like any AD object, they are replicated among *all* domain controllers. So it doesn't matter where you set or "apply" it, it will be on all DCs for that domain upon completion of replication.

As far as which DC an individual client will "get" a group policy from, it does so just like it determines which DC to authenticate against or get other services (published shares, printers, etc) which is a rather complex formula of nearest DC (can be controlled by the sites and services snap-in) and least cost calculations including slow-link detection.

So you can "set" a group policy on one DC, and a client at another site will get the same GP from another DC if it has replicated.

---

As an aside, forests and trusts have no bearing here. Group policies apply to domains or subtrees of the domain (OU, etc) so trusts have no factor.

-Cliff
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 167 total points
Comment Utility
Group policy is on all Domain Controllers. The PDC server is the authoratative server and has the final call if there is any discrepinces. Group policy gets replicated to all domain controllers similar to how sysvol and netlogon shares are replicated (not exactly but same idea). So if dc2 is a read/write DC then what you see is normal.

When you open gpmc.msc (group policy management console) by default it will attempt to connecto to the PDC first but you can simply change the DC gpmc is connecting to. This is completely normal.

PDC is authoratitive but read/write DC's also manage the load. Same with the Time Server PDC is the authoratative time source but the additional domain controllers also distribute the time as they get it from the PDC.

Will.
0
 

Author Comment

by:Created
Comment Utility
Okay, if Group Policy in a Forest Trust is no different that in a regular domain setup, why am I seeing this when a user from the headquarters.local domain logs into the datacenter.local domain?

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be aquired from the User Configuration of these policies.
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 83 total points
Comment Utility
Group policies do not cross forest boundaries.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 167 total points
Comment Utility
That is correct. The PDC role is a Domain role not a Forest role which means it only applies to the individual domain and nothing else. Group Policy is total separated from each other at a domain level when policies are applied.

Will.
0
 

Author Comment

by:Created
Comment Utility
Will this actually work?


Event ID:     1109     Source:      Microsoft-Windows-GroupPolicy

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be aquired from the User Configuration of these policies.

http://technet.microsoft.com/en-us/library/cc727296(v=ws.10).aspx

Resolve
•      Enable cross-forest user Group Policy processing
•      Open the Group Policy Management Console (GPMC).
•      Create a new Group Policy object (GPO) or select an existing one.
•      Edit the GPO and enable the following policy setting: AllowCross-Forest User Policy and Roaming User Profiles (located in Administrative Templates\System\Group Policy).
•      Log off and restart the computer.
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 167 total points
Comment Utility
That *can* work depending on how you've set up the trust and authentication methods. Especially with selective authentication, things won't work how you expect or not at all.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 83 total points
Comment Utility
See below link will be helpful to fix the event error.

Event ID 1109 — Application of Group Policy
http://technet.microsoft.com/en-us/library/cc727296(v=ws.10).aspx

Deployment considerations for Group Policy
http://technet.microsoft.com/en-us/library/cc738810(WS.10).aspx

Loopback Replace does not work in cross forest environment
http://technet.microsoft.com/en-us/library/cc785691(WS.10).aspx

Regarding how client process GPO see this
http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/22/understanding-the-structure-of-a-group-policy-object-part-3.aspx
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now