We have a large corporate intranet with a multidomain forest that we can call for the GREEN Forest.
In a segregated network do we have a single domain forest that we can call for the RED forest.
We have full ip connectivity between the top/root domain controllers in the 2 forests (fully meshed, Cisco ACL permitting traffic flows based on source and destination ip-addresses) and we have managed to implement a one-way cross-forest, RED trust on GREEN.
We want only RED computer GPOs to be applied on RED Windows 7 clients so we enabled LOOPBACK and set it to REPLACE.
When RED user logon to a RED Windows 7 client is both authentication and computer GPO applied as expected.
Now the issue, when GREEN user logon to RED Windows 7 client is the authentication cross the forest working but the computer GPO is never applied.
We have been told by one Microsoft support engineer that we must permit ip connectivity between the RED Clients and the GREEN Domain Controllers where the user accounts are defined in.
Can this really be true that all clients must have ip connectivity with the user account DCs?
Here is a link describing how GPO should work in a cross-forest setup but there is no statement about firewalls..
http://www.frickelsoft.net/blog/?p=284
Here is a link to a similar case as ours, at the last posts they agree that it should work but they never got it going …http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1b60243e-e5a8-4e13-bc4b-b134caf127a6/
I can understand that there have been problems back in time but that must have been sorted out to provide scalable AD/GPO services for example between companies or within a company group.