Guest cbtg2006 Posted October 17, 2008 Posted October 17, 2008 Hi guys, We're in the middle of a migration from a Win2K forest to a Win2K3 forest and I'm having fun with Group Policies. We use GPO to deploy Office 2000 to clients, this is a machine assigned application. I have migrated the policy using GPMC but software deployments do not work from a workstation in the new domain trying to receive the source installation files form a machine in the old domain. I have even tried this with a new policy created in the new domain using MSI source files from the old domain. I guess my question is, initially simple; is it possible to deploy machine assigned software via Group Policy in a multi-forest environment? The following article is confusing: http://support.microsoft.com/kb/274274 - I am unsure whether it state that it is not possible, or to simply apply permissions to shares using the 'Authenticated Users' group. if it is the latter I have indeed tried this without success. Any suggestions / insights on this issue greatly appreciated!
Guest cbtg2006 Posted October 22, 2008 Posted October 22, 2008 Re: X-Forest GPO Machine Assigned Software Deployment Well, FYI... Machine Assigned Software GPOs rely upon Kerberos Authentication. A standard external two-way trust between forests support NTLM authentication models only, kerberos is not supported. Running Network Monitor from a client in one forest trying to access the source files for the install in another you will see the following error on the machine if you try and access a share using the command prompt running as the machine account: KDC_ERR_S_PRINCIPAL_UNKNOWN (7) To achieve this use the following command to launch the command prompt as the machine account: at 11:31 /interactive cmd Change 11:31 for the time now +1 minute. Then run the following command whilst running a trace using Network monitor: pushd \\servername\sharename The kerberos errors will be listed in your network monitor trace. So, kerberos is failing. Looking at the following article we see that Kerberos is required for GPO Software deployments: http://support.microsoft.com/kb/274274 And the next arictle discusses authentication methods and trusts: http://www.microsoft.com/technet/solutionaccelerators/wssra/raguide/DirectoryServices/igdrbp_2.mspx The latter article states that a 2003 Forest Trust supports kerberos, but a standard external trust supports only NTLM. So in answer to my own quest, NO, it is not possible to deploy machine assigned software via Group Policy in a multi-forest environment. -Chris On Oct 17, 11:06 am, cbtg2006 <chrismbradf...@gmail.com> wrote: > Hi guys, > > We're in the middle of a migration from a Win2K forest to a Win2K3 > forest and I'm having fun with Group Policies. > > We use GPO to deploy Office 2000 to clients, this is a machine > assigned application. I have migrated the policy using GPMC but > software deployments do not work from a workstation in the new domain > trying to receive the source installation files form a machine in the > old domain. I have even tried this with a new policy created in the > new domain using MSI source files from the old domain. > > I guess my question is, initially simple; is it possible to deploy > machine assigned software via Group Policy in a multi-forest > environment? > > The following article is confusing:http://support.microsoft.com/kb/274274 > - I am unsure whether it state that it is not possible, or to simply > apply permissions to shares using the 'Authenticated Users' group. if > it is the latter I have indeed tried this without success. > > Any suggestions / insights on this issue greatly appreciated!
Recommended Posts