Trust relationships are not working

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This topic explains how to check if GPOs are not applying because trust relationships are not working.

Cause

You can link GPOs across domains, provided there is a trust relationship between the domains. If the trust relationship is broken, clients will be unable to access the GPO and related files. You might also encounter performance issues with links across domains.

You cannot link a GPO in one forest to a site, domain, or OU in a different forest.

Solution

If the GPO cannot be applied due to lack of trust, it will appear in the list of Denied GPOs and the reason given will be Inaccessible.

Use Active Directory Domains and Trusts or nltest.exe to verify the trust relationship, and to if repair it if necessary.

If you are not concerned about the identical GPO being applied in both domains, copy the GPO to the domain with the Active Directory containers you want to link to it.

See Also

Concepts

Administering Domain and Forest Trusts