locked
AD Trust, User GPO Fail RRS feed

  • Question

  • Dear Community

    We have a problem similar as described in the report:

    https://social.technet.microsoft.com/Forums/en-US/c7641c89-76d5-4f44-aced-e492638f7dea/oneway-crossforest-roaming-profile-and-gpo-processing-issues?forum=winservergen



    Scenario
    Two domains connected to each other via one way trust.
    In between is a firewall.

    Firewall --> Off, all computers can communicate

    • User 1 in domain A should log on to the computer in domain B. --> Works
    • User 1 is a member of a group (Global) in Domain A, this group (Global) in Domain A is a member of a group (Domain Local) in Domain B, Group (Domain Local) in Domain B Is linked to GPO via the Security Filter
    • If user 1 in domain A logs on to computer in domain B, the GPO should be used --> works

    Firewall --> On, only communication between DC A and DC B allowed.

    • User 1 account removed from computer in domain B

    • User 1 in domain A should log on to the computer in domain B. --> Works
    • If user 1 in domain A logs on to the computer in domain B, the GPO should be used --> does not work
    • Gpupdate / force fails

    ***
    C: \ Users \ 1> gpupdate / force
    Updating Policy ...

    User policy could not be updated successfully. The following errors were encountered:

    The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:
    a) Name resolution failure on the current domain controller.
    b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
    Computer Policy update has completed successfully.

    To diagnose the failure, review the event log or run GPRESULT / H GPReport.html from the command line to access information about Group Policy results.

    C: \ Users \ 1>
    ***

    The solution as shown in the description of the problem by opening the firewall is unfortunately not an option because the computers in domain B are not allowed to communicate directly with the DC in domain A.

    Question,
    Does computer in domain B have to communicate directly with DC in domain A?
    If not, is there a workaround for this? Unfortunately, the topic is not addressed in any of the explanations.

    Thank you in advance!
    • Moved by Dave PatrickMVP Thursday, October 22, 2020 8:38 PM looking for forum
    Thursday, October 22, 2020 8:11 PM

Answers