Computer GPO fails in an inter forest trust between segregated networks

we have large corporate intranet multidomain forest can call the green forest.

in segregated network have single domain forest can call red forest.

we have full ip connectivity between top/root domain controllers in 2 forests (fully meshed, cisco acl permitting traffic flows based on source , destination ip-addresses) , have managed implement one-way cross-forest, red trust on green.

we want red computer gpos applied on red windows 7 clients enabled loopback , set replace.

when red user logon red windows 7 client both authentication , computer gpo applied expected.

now issue, when green user logon red windows 7 client authentication cross forest working computer gpo never applied.

we have been told 1 microsoft support engineer must permit ip connectivity between red clients , green domain controllers user accounts defined in.

can true clients must have ip connectivity user account dcs?


here link describing  how gpo should work in cross-forest setup there no statement firewalls..
http://www.frickelsoft.net/blog/?p=284

here link similar case ours, @ last posts agree should work never got going …http://social.technet.microsoft.com/forums/en-us/winserverds/thread/1b60243e-e5a8-4e13-bc4b-b134caf127a6/

i can understand there have been problems in time must have been sorted out provide scalable ad/gpo services example between companies or within company group.

 

> want red computer gpos applied on red windows 7 clients

> enabled loopback , set replace.

 

that's not required default behaviour cross forest

gpo processing.

 > issue, when green user logon red windows 7 client

> authentication cross forest working computer gpo never

> applied.

>

 

what security filter gpo have? results of

"gpresult /h" gpo?

 

---

no not evil, if know doing: or bad gpos?
wenn meine antwort hilfreich war, freue ich mich über eine bewertung! if answer helpful, i'm glad rating!

Windows Server  >  Group Policy