X-Forest GPO Machine Assigned Software Deployment

[Guest cbtg2006]

Hi guys,

 

We're in the middle of a migration from a Win2K forest to a Win2K3

forest and I'm having fun with Group Policies.

 

We use GPO to deploy Office 2000 to clients, this is a machine

assigned application. I have migrated the policy using GPMC but

software deployments do not work from a workstation in the new domain

trying to receive the source installation files form a machine in the

old domain. I have even tried this with a new policy created in the

new domain using MSI source files from the old domain.

 

I guess my question is, initially simple; is it possible to deploy

machine assigned software via Group Policy in a multi-forest

environment?

 

The following article is confusing: http://support.microsoft.com/kb/274274

- I am unsure whether it state that it is not possible, or to simply

apply permissions to shares using the 'Authenticated Users' group. if

it is the latter I have indeed tried this without success.

 

Any suggestions / insights on this issue greatly appreciated!

[Guest cbtg2006]

Re: X-Forest GPO Machine Assigned Software Deployment

 

Well, FYI...

 

Machine Assigned Software GPOs rely upon Kerberos Authentication. A

standard external two-way trust between forests support NTLM

authentication models only, kerberos is not supported. Running Network

Monitor from a client in one forest trying to access the source files

for the install in another you will see the following error on the

machine if you try and access a share using the command prompt running

as the machine account:

 

KDC_ERR_S_PRINCIPAL_UNKNOWN (7)

 

To achieve this use the following command to launch the command prompt

as the machine account:

 

at 11:31 /interactive cmd

 

Change 11:31 for the time now +1 minute. Then run the following

command whilst running a trace using Network monitor:

 

pushd \\servername\sharename

 

The kerberos errors will be listed in your network monitor trace.

 

 

So, kerberos is failing. Looking at the following article we see that

Kerberos is required for GPO Software deployments:

 

http://support.microsoft.com/kb/274274

 

And the next arictle discusses authentication methods and trusts:

 

http://www.microsoft.com/technet/solutionaccelerators/wssra/raguide/DirectoryServices/igdrbp_2.mspx

 

The latter article states that a 2003 Forest Trust supports kerberos,

but a standard external trust supports only NTLM.

 

So in answer to my own quest, NO, it is not possible to deploy machine

assigned software via Group Policy in a multi-forest environment.

 

-Chris

 

 

On Oct 17, 11:06 am, cbtg2006 <chrismbradf...@gmail.com> wrote:

> Hi guys,

>

> We're in the middle of a migration from a Win2K forest to a Win2K3

> forest and I'm having fun with Group Policies.

>

> We use GPO to deploy Office 2000 to clients, this is a machine

> assigned application. I have migrated the policy using GPMC but

> software deployments do not work from a workstation in the new domain

> trying to receive the source installation files form a machine in the

> old domain. I have even tried this with a new policy created in the

> new domain using MSI source files from the old domain.

>

> I guess my question is, initially simple; is it possible to deploy

> machine assigned software via Group Policy in a multi-forest

> environment?

>

> The following article is confusing:http://support.microsoft.com/kb/274274

> - I am unsure whether it state that it is not possible, or to simply

> apply permissions to shares using the 'Authenticated Users' group. if

> it is the latter I have indeed tried this without success.

>

> Any suggestions / insights on this issue greatly appreciated!