X-Forest GPO Machine Assigned Software Deployment

[cbtg2006]

Hi guys,

We're in the middle of a migration from a Win2K forest to a Win2K3
forest and I'm having fun with Group Policies.

We use GPO to deploy Office 2000 to clients, this is a machine
assigned application. I have migrated the policy using GPMC but
software deployments do not work from a workstation in the new domain
trying to receive the source installation files form a machine in the
old domain. I have even tried this with a new policy created in the
new domain using MSI source files from the old domain.

I guess my question is, initially simple; is it possible to deploy
machine assigned software via Group Policy in a multi-forest
environment?

The following article is confusing: http://support.microsoft.com/kb/274274
- I am unsure whether it state that it is not possible, or to simply
apply permissions to shares using the 'Authenticated Users' group. if
it is the latter I have indeed tried this without success.

Any suggestions / insights on this issue greatly appreciated!

 

[cbtg2006]

Re: X-Forest GPO Machine Assigned Software Deployment

Well, FYI...

Machine Assigned Software GPOs rely upon Kerberos Authentication. A
standard external two-way trust between forests support NTLM
authentication models only, kerberos is not supported. Running Network
Monitor from a client in one forest trying to access the source files
for the install in another you will see the following error on the
machine if you try and access a share using the command prompt running
as the machine account:

KDC_ERR_S_PRINCIPAL_UNKNOWN (7)

To achieve this use the following command to launch the command prompt
as the machine account:

at 11:31 /interactive cmd

Change 11:31 for the time now +1 minute. Then run the following
command whilst running a trace using Network monitor:

pushd \\servername\sharename

The kerberos errors will be listed in your network monitor trace.


So, kerberos is failing. Looking at the following article we see that
Kerberos is required for GPO Software deployments:

http://support.microsoft.com/kb/274274

And the next arictle discusses authentication methods and trusts:

http://www.microsoft.com/technet/solutionaccelerators/wssra/raguide/DirectoryServices/igdrbp_2.mspx

The latter article states that a 2003 Forest Trust supports kerberos,
but a standard external trust supports only NTLM.

So in answer to my own quest, NO, it is not possible to deploy machine
assigned software via Group Policy in a multi-forest environment.

-Chris


On Oct 17, 11:06 am, cbtg2006 <chrismbradf...@gmail.com> wrote:
> Hi guys,
>
> We're in the middle of a migration from a Win2K forest to a Win2K3
> forest and I'm having fun with Group Policies.
>
> We use GPO to deploy Office 2000 to clients, this is a machine
> assigned application. I have migrated the policy using GPMC but
> software deployments do not work from a workstation in the new domain
> trying to receive the source installation files form a machine in the
> old domain. I have even tried this with a new policy created in the
> new domain using MSI source files from the old domain.
>
> I guess my question is, initially simple; is it possible to deploy
> machine assigned software via Group Policy in a multi-forest
> environment?
>
> The following article is confusing:http://support.microsoft.com/kb/274274
> - I am unsure whether it state that it is not possible, or to simply
> apply permissions to shares using the 'Authenticated Users' group. if
> it is the latter I have indeed tried this without success.
>
> Any suggestions / insights on this issue greatly appreciated!