Sorry for crossposting, but not sure which group is most appropriate. I'm
having a GPO problem, but I'm pretty sure the underlying issue is AD.

I have two domains, DOM-A and DOM-B, that trust each other with a two-way
NONTRANSITIVE trust. (I don't know if that's important or not).

Users in DOM-B connect to a Citrix server in DOM-A. But DOM-B user logon
scripts are not running when they log in. (The logon scripts are defined in
group policy. There are other GPO rules that are not being applied as
well.)


In the event viewer of the Citrix server, I see 1030 and 1050 errors
whenever a DOM-B user tries to log in: "Windows cannot access the file
gpt.ini ...."

From the Citrix server (remember, it's in DOM-A), I can click on Start \ Run
\ \\servername\sysvol, and I can see the sysvol share. However, if I use
the syntax \\domainname\sysvol, I cannot see the share. This leads me to
think something somewhere is messed up with DNS. To test this, I added an
entry in the hosts file of the Citrix server pointing domainname.com to one
of the DCs in DOM-B. This *seemed* to fix the problem, but it was only
temporary. So I'm not really sure if that fixed it or if it was something
else.

So to sum it up: DOM-B users' GPO settings are not being applied when they
log into DOM-A. And they are supposed to. I've got "Allow Cross Forest
blah blah" enabled and all that. I believe the problem is DNS related, but
I'm not sure what steps to take to troubleshoot beyond those I've already
taken.

Thanks

"Mark C" <markc@askfordomain.ok> wrote in message
news:Wv-dnV9yxNB5jxHXnZ2dnUVZ_o-dnZ2d@posted.internetamerica...

Quote:

Sorry for crossposting, but not sure which group is most appropriate. I'm having a GPO problem, but I'm pretty sure the underlying issue is AD. I have two domains, DOM-A and DOM-B, that trust each other with a two-way NONTRANSITIVE trust. (I don't know if that's important or not). Users in DOM-B connect to a Citrix server in DOM-A. But DOM-B user logon scripts are not running when they log in. (The logon scripts are defined in group policy. There are other GPO rules that are not being applied as well.) In the event viewer of the Citrix server, I see 1030 and 1050 errors whenever a DOM-B user tries to log in: "Windows cannot access the file gpt.ini ...." From the Citrix server (remember, it's in DOM-A), I can click on Start \ Run \ \\servername\sysvol, and I can see the sysvol share. However, if I use the syntax \\domainname\sysvol, I cannot see the share. This leads me to think something somewhere is messed up with DNS. To test this, I added an entry in the hosts file of the Citrix server pointing domainname.com to one of the DCs in DOM-B. This *seemed* to fix the problem, but it was only temporary. So I'm not really sure if that fixed it or if it was something else. So to sum it up: DOM-B users' GPO settings are not being applied when they log into DOM-A. And they are supposed to. I've got "Allow Cross Forest blah blah" enabled and all that. I believe the problem is DNS related, but I'm not sure what steps to take to troubleshoot beyond those I've already taken. Thanks

Non-transitive NTLM trusts relies on NetBIOS for authentication. However AD
authentication and connectivity relies on DNS. Hosts files don't do the
trick because of SRV record requirements, that hosts files do not support.

So it sounds like simple DNS resolution issue. Did you configure a
Conditional Forwarder from domainA's DNs to two of domainB's DNS server, and
vice versa? If not, I would suggest to configure that, and eliminate the
hosts files.

Where else did you post it to?

It doesn't appear you cross-posted this, rather you have multi-posted it.
Otherwise the other groups would have showed up in the posted groups list in
the newsreader. Cross-posting (be indicating multiple groups to post at
once), allows any respones to simultaneously populate all threads it was
cross-posted to as well as allow us to collaborate to help you from anywhere
it was posted, however, multiposting does not, and you would have to search
each of your postings individually for responses, as well as us to try to
find the other posts.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Hello Mark,

In addition to Ace infos check also the following GPO setting:
Computer configuration, administrative templates, system, group policy "Allow
Cross-Forest User Policy and Roaming User Profiles"

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

Sorry for crossposting, but not sure which group is most appropriate. I'm having a GPO problem, but I'm pretty sure the underlying issue is AD. I have two domains, DOM-A and DOM-B, that trust each other with a two-way NONTRANSITIVE trust. (I don't know if that's important or not). Users in DOM-B connect to a Citrix server in DOM-A. But DOM-B user logon scripts are not running when they log in. (The logon scripts are defined in group policy. There are other GPO rules that are not being applied as well.) In the event viewer of the Citrix server, I see 1030 and 1050 errors whenever a DOM-B user tries to log in: "Windows cannot access the file gpt.ini ...." From the Citrix server (remember, it's in DOM-A), I can click on Start \ Run \ \\servername\sysvol, and I can see the sysvol share. However, if I use the syntax \\domainname\sysvol, I cannot see the share. This leads me to think something somewhere is messed up with DNS. To test this, I added an entry in the hosts file of the Citrix server pointing domainname.com to one of the DCs in DOM-B. This *seemed* to fix the problem, but it was only temporary. So I'm not really sure if that fixed it or if it was something else. So to sum it up: DOM-B users' GPO settings are not being applied when they log into DOM-A. And they are supposed to. I've got "Allow Cross Forest blah blah" enabled and all that. I believe the problem is DNS related, but I'm not sure what steps to take to troubleshoot beyond those I've already taken. Thanks