Announcement

Collapse
No announcement yet.

Group.policy.inheritance.between.parent.and.child.domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Group.policy.inheritance.between.parent.and.child.domain

    I know that I have to manually create trust relationship between partent and child domain.

    I'm just curious of why Microsoft doesn't make the trust relationship by default between a parent and a child domain.

    Thanks!!!

    Change Log:

    12.08.04

    Change title of the post

    Old one: Trust.relationship.between.parent.and.child.domain
    Teamwork

  • #2
    Who said you had to create such trusts? Check out your AD Domains and Trusts and you'll see that the trusts are there by default. Furthermore you cannot remove them.
    Cheers,

    Daniel Petri
    Microsoft Most Valuable Professional - Active Directory Directory Services
    MCSA/E, MCTS, MCITP, MCT

    Comment


    • #3
      Petri.

      First of all, I'm sorry for posting a really really "dumb" question. Something wrong with my mind. I was about to ask about Group Policy Inheritance...some how I typed in relationship LOL. Sorry again.

      The question really is : Why does group policy doesn't inherit from parent domain to the child domain ?

      Thanks!!!
      Teamwork

      Comment


      • #4
        LOL

        GPO does NOT inherit from parent domain to child domain. This a "built-in" feature...

        You can, however use GPOs on sites, then you'll be able to "catch" more domains in one GPO. However using GPOs on sites is usually not recommended due to replication issues between the DC of the various domains.
        Cheers,

        Daniel Petri
        Microsoft Most Valuable Professional - Active Directory Directory Services
        MCSA/E, MCTS, MCITP, MCT

        Comment


        • #5
          Actually, GPOs can be propagated to child domains.
          By default GPO inheritance is disabled, but if you look at the domain object of the child domain (DC=child,DC=domain,DC=com), you will see the "Block Policy inheritance" flag checked. Just uncheck it and you are set.

          Btw, some "Default Domain Policy" settings will not apply to child domains (and this is by design). Things like password complexity and IPSec policies are domain (and not forest) wide.
          Attached Files
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            I learn something new every day!

            And this actually works? 100%? How about the GPT? What about SYSVOL issues?
            Cheers,

            Daniel Petri
            Microsoft Most Valuable Professional - Active Directory Directory Services
            MCSA/E, MCTS, MCITP, MCT

            Comment


            • #7
              100% works.

              Moreover, with W2K3 forest trusts, GPOs can be applied across forests !
              i.e.: user from forest A logs on to forest B (there is forest trust between the forests) and recievs Computer settings from forest B and user settings from forest A.

              As for SYSVOL, GPC and GPT, those are located by querying relevant DCs in the domain in question.

              By default, new child domains block inheritance of GPOs from parents, but as I have already mentioned, this can be changed.
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"

              Comment


              • #8
                ok... looks like I was either too drunk (which was not the case) or was under sever influence of jetlag.

                I totally confused cross forest or cross-domain GPO application with GPO inheritance.

                GPOs are NOT inherited from parent domains. period.
                http://www.microsoft.com/resources/d...ag_inherit.asp

                The only excuse I might have is the fact that GPOs from parent domains can be linked to containers in child domains.

                Now I am going to find myself a dark corner and drown my shame in the booze.
                Guy Teverovsky
                "Smith & Wesson - the original point and click interface"

                Comment


                • #9
                  Rrrrrrrggghhhhh!

                  Drunk huh? Jet lag? And I started to actually think I needed to re-study my GPO stuff...

                  Cheers,

                  Daniel Petri
                  Microsoft Most Valuable Professional - Active Directory Directory Services
                  MCSA/E, MCTS, MCITP, MCT

                  Comment


                  • #10
                    Hi,

                    I created trust relationship between a Windows 2000 server and a Windows 2003 server, both PDC of different forest, and the trust is a two-way trust. However, only PDC of Windows 2003 server can access resources from PDC of Windows 2000 server. PDC of Windows 2000 server couldn't access PDC of Windows 20003 server. Besides, users in PDC of Windows 2003 couldn't log on to domain of that PDC of Windows 2000 server also even when I tried to log on as administrator of Windows 2000 server using pc of domain user of Windows 2003 server. The domain list is updated in the log on, but just couldn't log on to the domain of Windows 2000 server.

                    Thanks.

                    Best regards,
                    TKT

                    Comment


                    • #11
                      What sort of error are you getting?
                      Cheers,

                      Daniel Petri
                      Microsoft Most Valuable Professional - Active Directory Directory Services
                      MCSA/E, MCTS, MCITP, MCT

                      Comment

                      Working...
                      X