• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2220
  • Last Modified:

Understanding Group Policy on Windows 2008 r2 Server and forest trusts

We have 2 forests that trust each other.

One forest is datacenter.local and the other is headquarters.local.

At the data center we have 2 domain controllers, dc3.datacenter.local and dc1.datacenter.local. We also have another domain controller called dc2.datacenter.local at the headquarters office, so we have 3 domain controller in the datacenter.local domain which is also a forest.
At the headquarters office we have a domain (also a forest) called headquarters.local with 2 domain controllers, fs1.headquarters.local and fs2.headquarters.local.
Group Policy for datacenter.local is on dc3.datacenter.local which is also the PDC Emulator.  Group Policy for headquarters.local is on FS1.headquarters.local which is also the PDC Emulator.
Given this environment, how does Group Policy get applied?

This may or may not be an issue, but one of the things I'm seeing in the logs for one of my member servers in the datacenter.local doamin is that group policy is coming from dc2.datacenter.local, but shouldn't it be coming from dc3.datacenter.local (which is the PDCe) since that is were Group Policy has been set.
0
Created
Asked:
Created
  • 2
  • 2
  • 2
  • +2
6 Solutions
 
Cliff GaliherCommented:
Group policies are AD objects, and like any AD object, they are replicated among *all* domain controllers. So it doesn't matter where you set or "apply" it, it will be on all DCs for that domain upon completion of replication.

As far as which DC an individual client will "get" a group policy from, it does so just like it determines which DC to authenticate against or get other services (published shares, printers, etc) which is a rather complex formula of nearest DC (can be controlled by the sites and services snap-in) and least cost calculations including slow-link detection.

So you can "set" a group policy on one DC, and a client at another site will get the same GP from another DC if it has replicated.

---

As an aside, forests and trusts have no bearing here. Group policies apply to domains or subtrees of the domain (OU, etc) so trusts have no factor.

-Cliff
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Group policy is on all Domain Controllers. The PDC server is the authoratative server and has the final call if there is any discrepinces. Group policy gets replicated to all domain controllers similar to how sysvol and netlogon shares are replicated (not exactly but same idea). So if dc2 is a read/write DC then what you see is normal.

When you open gpmc.msc (group policy management console) by default it will attempt to connecto to the PDC first but you can simply change the DC gpmc is connecting to. This is completely normal.

PDC is authoratitive but read/write DC's also manage the load. Same with the Time Server PDC is the authoratative time source but the additional domain controllers also distribute the time as they get it from the PDC.

Will.
0
 
CreatedAuthor Commented:
Okay, if Group Policy in a Forest Trust is no different that in a regular domain setup, why am I seeing this when a user from the headquarters.local domain logs into the datacenter.local domain?

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be aquired from the User Configuration of these policies.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
KCTSCommented:
Group policies do not cross forest boundaries.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
That is correct. The PDC role is a Domain role not a Forest role which means it only applies to the individual domain and nothing else. Group Policy is total separated from each other at a domain level when policies are applied.

Will.
0
 
CreatedAuthor Commented:
Will this actually work?


Event ID:     1109     Source:      Microsoft-Windows-GroupPolicy

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be aquired from the User Configuration of these policies.

http://technet.microsoft.com/en-us/library/cc727296(v=ws.10).aspx

Resolve
•      Enable cross-forest user Group Policy processing
•      Open the Group Policy Management Console (GPMC).
•      Create a new Group Policy object (GPO) or select an existing one.
•      Edit the GPO and enable the following policy setting: AllowCross-Forest User Policy and Roaming User Profiles (located in Administrative Templates\System\Group Policy).
•      Log off and restart the computer.
0
 
Cliff GaliherCommented:
That *can* work depending on how you've set up the trust and authentication methods. Especially with selective authentication, things won't work how you expect or not at all.
0
 
SandeshdubeyCommented:
See below link will be helpful to fix the event error.

Event ID 1109 — Application of Group Policy
http://technet.microsoft.com/en-us/library/cc727296(v=ws.10).aspx

Deployment considerations for Group Policy
http://technet.microsoft.com/en-us/library/cc738810(WS.10).aspx

Loopback Replace does not work in cross forest environment
http://technet.microsoft.com/en-us/library/cc785691(WS.10).aspx

Regarding how client process GPO see this
http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/22/understanding-the-structure-of-a-group-policy-object-part-3.aspx
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now