Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Resultant Set of Policy Planning mode is not supported in cross-forest scenarios in Windows Server 2003


View products that this article applies to.

This article was previously published under Q312373

↑ Back to the top


Symptoms

Administrators cannot use the Resultant Set of Policy (RSoP) Planning mode to plan for scenarios that span forests in Microsoft Windows Server 2003. For example, you cannot plan a scenario where a user logs on to a workstation in Forest 1 from Forest 2. When you try to run RSoP Planning mode in a cross-forest environment, you may receive the following Group Policy error message:
Cross forest planning mode scenarios are not currently supported

↑ Back to the top


Cause

This issue occurs because RSoP Planning mode does not support cross-forest scenarios because domain controllers are not well trusted outside their respective forests. In many potential scenarios, RSoP cannot validate the information that is returned from a domain controller that is located in another forest. The Authenticated Users group must have Read permissions on relevant policies to successfully read a particular policy in a cross-forest environment. Microsoft does not recommend granting Read permission for the Authenticated Users group to read all policies. If both the user and the computer reside in the same forest, RSoP will be able to generate a complete set of data.

In a cross-forest scenario, if the user wants to connect to a computer that is in the remote forest to generate the RSoP Planning data for that user, the domain controller of the forest where the user is residing must first contact the domain controller of the remote forest. This is performed to obtain a list of policies that apply to the appropriate user or computer of the requested domain controller. The domain controller performs this action on behalf of the user who uses RSoP Planning. The results that are returned to the requested domain controller depend on the rights that the domain controller has in the remote forest instead of the user who uses RSoP planning. Therefore, cross-forest support is blocked in RSoP Planning mode because the data that is provided by RSoP Planning may be incomplete or inaccurate. Cross-forest support for RSoP Planning may be enabled in a future version of Windows. Consider the following scenarios.
Collapse this tableExpand this table
ScenarioUserComputerDomain Controller
Scenario 1Forest 1Forest 1Forest 1
Scenario 2Forest 2Forest 1Forest 1
Scenario 3Forest 1Forest 2Forest 1
Scenario 4Forest 2Forest 2Forest 1
  • Scenario 1 is fully supported. In this scenario, the user generates an RSoP Planning policy data for a local domain controller. Therefore, if the administrator who uses RSoP Planning has correct credentials, the generated RSoP Planning policy data will be complete and accurate.
  • In Scenario 2, the RSoP policy data that is generated will contain correct data about policies that are applied on the computer, including site policies that apply to Forest 1. However, user policies may be correct, may be partially correct, or may be incorrect.
  • In Scenario 3, neither the user policy experience nor the computer policy experience can be verified. This is because the relevant site-based policies that are applied on the computer will be different from the policy that is applied on Forest 1. Also, if the user selects the loopback processing option for the computer, the RSoP Planning process will not be able to simulate this environment because the computer will apply the Group Policy objects from the Forest 2 domain controller for the user to log on to the computer. This is not supported by RSoP Planning. Therefore, the actual experience that the user may experience may be different from what is reported by RSoP Planning.
  • In Scenario 4, the RSoP Planning policy data will be complete because the success or failure of RSoP Planning is dependant on the credentials of the user, and not that of the domain controller.

↑ Back to the top


Workaround

To work around this issue, you may run RSoP Planning mode on the domain controller of the user and the domain controller of the computer separately, and then manually combine the data to analyze the result.

For additional information about how to install and use RSoP in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
323276� How to install and use RSoP in Windows Server 2003

↑ Back to the top


Status

This behavior is by design.

↑ Back to the top


More information

For additional information about RSoP, visit the following Microsoft Web site:

↑ Back to the top


Keywords: KB312373, kbprb

↑ Back to the top

Article Info
Article ID : 312373
Revision : 4
Created on : 10/30/2006
Published on : 10/30/2006
Exists online : False
Views : 311