A user in a trusted external domain cannot log on to a Microsoft Windows Server 2003-based domain, even though the Allow Cross-Forest User Policy and Roaming User Profiles Group Policy setting is enabled.

When this problem occurs, the Userenv.log file may contain an entry that is similar to the following:

USERENV(ec0.86c) 13:36:18:156 ProcessGPO: Deferring search for
USERENV(ec0.86c) 13:36:18:484 GetMachineDomainDS: ldap_bind_s failed with 82
USERENV(ec0.86c) 13:36:18:500 GetGPOInfo: Leaving with 0

CAUSE
This problem occurs because the Group Policy object that contains the Allow Cross-Forest User Policy and Roaming User Profiles Group Policy setting fails when a Windows Server 2003-based domain has an external trust relationship with the domain to which the user belongs.

Note This issue does not occur when the trust relationship between the domains is a forest trust instead of an external trust.

RESOLUTION
Hotfix information
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article.

[Continue reading Microsoft Knowledge Base article 896683]