none
Не отрабатывает GPO между доверенными лесами. RRS feed

  • Вопрос

  • Добрый день!

    Просьба помочь разобраться, не отрабатывает GPO между лесами. Настроены  односторонние доверительные отношения между двумя лесами. domain1.local (функциональный уровень домена/леса windows 2003) и domain2.local(функциональный уровень домена/леса windows 2012R2).

    Пользователь из domain1 логинеться  на машину, входящую в domain2.local. Получает ошибку -eventid 1053

    The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:
    a) Name Resolution failure on the current domain controller.
    b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

    На сервер, куда логинюсь в домене domain2.local , включил логирование gpo - gpsvc.txt

    GPSVC(328.338) 12:31:30:695 Waiting for user group policy thread to terminate.
    GPSVC(328.338) 12:31:30:695 User group policy thread has terminated.
    GPSVC(328.338) 12:31:30:710 Setting GPsession state = 0
    GPSVC(328.338) 12:31:30:710 Deleting critical section for UserSid <S-1-5-21-3175769907-2057547688-2701492464-3192>
    GPSVC(328.338) 12:31:30:710 Deleting sidString <S-1-5-21-3175769907-2057547688-2701492464-3192>
    GPSVC(328.338) 12:31:46:271 Setting GPsession state = 1
    GPSVC(328.a8c) 12:32:16:425 SID = S-1-5-21-3175769907-2057547688-2701492464-3192
    GPSVC(328.a8c) 12:32:16:425 bMachine = 0
    GPSVC(328.a8c) 12:32:16:425 Setting GPsession state = 1
    GPSVC(328.a8c) 12:32:16:425 Message Status = <Applying user settings...>
    GPSVC(328.a8c) 12:32:16:425 Setting GPsession state = 1
    GPSVC(328.6a4) 12:32:16:425 StartTime For network wait: 10656ms
    GPSVC(328.6a4) 12:32:16:425 Current Time: 827968ms
    GPSVC(328.6a4) 12:32:16:425 MaxTimeToWaitForNetwork: 12244ms
    GPSVC(328.6a4) 12:32:16:425 TimeRemainingToWaitForNetwork: 0ms
    GPSVC(328.6a4) 12:32:16:425 UserPolicy: Waiting for machine policy wait for network event with timeout 0 ms
    GPSVC(328.6a4) 12:32:17:924 ProcessGPOs: MyGetUserName failed with 1355.
    GPSVC(328.6a4) 12:32:17:924 Opened query for NLA successfully
    GPSVC(328.6a4) 12:32:17:924 ProcessGPOs: No WMI logging done in this policy cycle.
    GPSVC(328.6a4) 12:32:17:924 ProcessGPOs: Processing failed with error 1355.
    GPSVC(328.6a4) 12:32:17:924 ProcessGPOs: Boot/Logon Policy processing - checking if UBPM trigger events need to be fired
    GPSVC(328.6a4) 12:32:17:924 CheckAndFireGPTriggerEvent: Applied GPO list is empty. Not firing UBPM trigger events.
    GPSVC(328.6a4) 12:32:17:924 Application complete with bConnectivityFailure = 1.
    GPSVC(328.6a4) 12:32:17:924 Registering for Connectivity notification.
    GPSVC(328.6a4) 12:32:17:924 Registered for NLA notification successfully
    GPSVC(328.6a4) 12:32:17:924 RegisterForNotificationIfRequired returned Status = 0x4ce but continuing...
    GPSVC(328.6a4) 12:32:17:924 Application complete with bConnectivityFailure = 1.
    GPSVC(328.6a4) 12:32:17:924 Registering for Connectivity notification.
    GPSVC(328.6a4) 12:32:17:924 Registered for NLA notification successfully
    GPSVC(328.6a4) 12:32:17:924 RegisterForNotificationIfRequired returned Status = 0x4ce but continuing...

    Не совсем понятно. куда копать...

    Т.е часть gpo, что относится к пользователю - не применяется, что относиться к компьютеру - применяется.

    >gpupdate /force
    Updating Policy...

    User policy could not be updated successfully. The following errors were encount
    ered:

    The processing of Group Policy failed. Windows could not resolve the user name.
    This could be caused by one of more of the following:
    a) Name Resolution failure on the current domain controller.
    b) Active Directory Replication Latency (an account created on another domain co
    ntroller has not replicated to the current domain controller).
    Computer Policy update has completed successfully.

    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
    rom the command line to access information about Group Policy results.

    В домене domain2.local

    Allow Cross-Forest User Policy and Roaming User Profiles  - выставил в disable.

    28 сентября 2015 г. 9:49

Ответы

Все ответы