"add forest" in group policy management does not work unless RC4 is enabled
We have two-way forest trust established and would like to manage group policy for both forests from one server.
On a member server where Group Policy Management console is installed, these encryption types are enabled in “Network security: Configure encryption types allowed for Kerberos“:
Future encryption types
When I try to add another forest to Group Policy Management console (open “Group Policy Management” console, right click on “Group Policy Management”, click on “Add forest…”, enter domain name and then click “OK”), a message “Access is denied.” pops up.
If I enable “RC4HMACMD5” on the server where Group Policy Management console is installed, I can add a forest in Group Policy Management console without any errors.
Please fix this. I don't like having legacy cypher (RC4) enabled just to be able to manage group policy from two different forests.
Tomislav Fučkar commented
Kerberos is not enabled by default when creating forest trust. After manually enabling it, AES works as expected and RC4 does not have to be enabled on the server where Group Policy Management console is installed.