Understanding Group Policy on Windows 2008 r2 Server and forest trusts

We have 2 forests that trust each other.

One forest is datacenter.local and the other is headquarters.local.

At the data center we have 2 domain controllers, dc3.datacenter.local and dc1.datacenter.local. We also have another domain controller called dc2.datacenter.local at the headquarters office, so we have 3 domain controller in the datacenter.local domain which is also a forest.
At the headquarters office we have a domain (also a forest) called headquarters.local with 2 domain controllers, fs1.headquarters.local and fs2.headquarters.local.
Group Policy for datacenter.local is on dc3.datacenter.local which is also the PDC Emulator.  Group Policy for headquarters.local is on FS1.headquarters.local which is also the PDC Emulator.
Given this environment, how does Group Policy get applied?

This may or may not be an issue, but one of the things I'm seeing in the logs for one of my member servers in the datacenter.local doamin is that group policy is coming from dc2.datacenter.local, but shouldn't it be coming from dc3.datacenter.local (which is the PDCe) since that is were Group Policy has been set.
CreatedAsked:
Who is Participating?
 
Cliff GaliherConnect With a Mentor Commented:
Group policies are AD objects, and like any AD object, they are replicated among *all* domain controllers. So it doesn't matter where you set or "apply" it, it will be on all DCs for that domain upon completion of replication.

As far as which DC an individual client will "get" a group policy from, it does so just like it determines which DC to authenticate against or get other services (published shares, printers, etc) which is a rather complex formula of nearest DC (can be controlled by the sites and services snap-in) and least cost calculations including slow-link detection.

So you can "set" a group policy on one DC, and a client at another site will get the same GP from another DC if it has replicated.

---

As an aside, forests and trusts have no bearing here. Group policies apply to domains or subtrees of the domain (OU, etc) so trusts have no factor.

-Cliff
0
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
Group policy is on all Domain Controllers. The PDC server is the authoratative server and has the final call if there is any discrepinces. Group policy gets replicated to all domain controllers similar to how sysvol and netlogon shares are replicated (not exactly but same idea). So if dc2 is a read/write DC then what you see is normal.

When you open gpmc.msc (group policy management console) by default it will attempt to connecto to the PDC first but you can simply change the DC gpmc is connecting to. This is completely normal.

PDC is authoratitive but read/write DC's also manage the load. Same with the Time Server PDC is the authoratative time source but the additional domain controllers also distribute the time as they get it from the PDC.

Will.
0
 
CreatedAuthor Commented:
Okay, if Group Policy in a Forest Trust is no different that in a regular domain setup, why am I seeing this when a user from the headquarters.local domain logs into the datacenter.local domain?

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be aquired from the User Configuration of these policies.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Brian PierceConnect With a Mentor PhotographerCommented:
Group policies do not cross forest boundaries.
0
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
That is correct. The PDC role is a Domain role not a Forest role which means it only applies to the individual domain and nothing else. Group Policy is total separated from each other at a domain level when policies are applied.

Will.
0
 
CreatedAuthor Commented:
Will this actually work?


Event ID:     1109     Source:      Microsoft-Windows-GroupPolicy

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be aquired from the User Configuration of these policies.

http://technet.microsoft.com/en-us/library/cc727296(v=ws.10).aspx

Resolve
•      Enable cross-forest user Group Policy processing
•      Open the Group Policy Management Console (GPMC).
•      Create a new Group Policy object (GPO) or select an existing one.
•      Edit the GPO and enable the following policy setting: AllowCross-Forest User Policy and Roaming User Profiles (located in Administrative Templates\System\Group Policy).
•      Log off and restart the computer.
0
 
Cliff GaliherConnect With a Mentor Commented:
That *can* work depending on how you've set up the trust and authentication methods. Especially with selective authentication, things won't work how you expect or not at all.
0
 
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
See below link will be helpful to fix the event error.

Event ID 1109 — Application of Group Policy
http://technet.microsoft.com/en-us/library/cc727296(v=ws.10).aspx

Deployment considerations for Group Policy
http://technet.microsoft.com/en-us/library/cc738810(WS.10).aspx

Loopback Replace does not work in cross forest environment
http://technet.microsoft.com/en-us/library/cc785691(WS.10).aspx

Regarding how client process GPO see this
http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/22/understanding-the-structure-of-a-group-policy-object-part-3.aspx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.