Loopback Replace does not work in cross forest environment

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The Group Policy Loopback-Replace mode allows you to force a user to use a particular set of user GPOs instead of the ones that the user account is normally tied to. This is helpful in terminal server environments because it guarantees the integrity of your terminal servers. It is also useful in a public computer environment, such as a kiosk or library, where many different people log on to computers.

Cross-forest trust was introduced in Windows Server 2003. With a cross-forest trust you can connect two root domains, which gives both domains access to each other's domain. In addition, any new domains that are created under either root domain is automatically given the same access as the parent root domain. This enables different forests to communicate with each other, and it also enables users to log on to computers in either forests with ease.

Problems with Loopback-Replace in a cross-forest environment can be difficult to troubleshoot, due to the number of factors that can effect it. Even if your Group Policy is set up correctly, you can still have problems getting Loopback-Replace to work in a cross-forest environment.

Event IDs

The following event IDs are relevant to this section:

Cause

To understand how Loopback-Replace works, you need to understand the processing order of GPOs. When a computer is turned on, the computer applies the machine GPOs from the site, domain, and each nested OU that applies to it. When the user logs on to the computer, it processes the user GPOs in the same order. With Loopback-Replace you are changing how the computer processes the GPOs. Instead of the user's GPOs processing the normal way, they get the GPOs that you specify instead; regardless of which domain they are coming from or what GPOs are applied to them normally.

A number of things can cause Loopback-Replace to fail, and due to the complexity of cross-forest environments, the number of potential problems increases when the two technologies are used together. Potential causes of a Loopback-Replace failure could be that loopback was set up inappropriately, Organizational Units do not have the necessary user Group Policy for the Loopback to reference, or RPC is not running on the machine's domain controller.

If you have Loopback-Replace running in a cross-forest environment, you can have some additional problems. The main ones are tied to network health and connectivity. It is important to make sure that the domains are able to communicate with each other and still have full two-way trust. Firewalls between the two domains can also cause problems by blocking access from the machine that the user is attempting to log on to and the domain controller that user belongs to.

Solution

Verify that you have setup Loopback-Replace Mode correctly in Group Policy. To turn on Loopback-Replace Mode, create a GPO linked to the server OU you just created. Under User Configuration, click Administrative Templates, click System, click Group Policy, and then double-click the User Group Policy Loopback Processing Mode policy setting. Activate the policy by clicking Enabled. After you have enabled the setting, click Mode, click Replace, and then click OK.

If this does not fix the problem, try troubleshooting network connectivity between the target computer and the domain controller in the user's originating forest. In order for the computer to be able to contact the domain controller of the computer and for the user, RPC must be running. Run the rpings.exe and the rpingc.exe commands to determine the health of RPC on your network. You can also try running a network trace from the target machine to the user's domain controller. If possible, it would also be helpful to run a network trace at the same time from the domain controller to the target machine, which should help you determine the location of any network problems. A network trace will also help you determine if a firewall is causing this issue.

Supported Operating Systems

Cross-forest trust and Loopback-Replace are not available on all current Microsoft operating systems. Use the following table to determine whether your network is capable of running this setup.