Trust Access error

I have two 2003 Domains that have a two way trust between them. When I am physically in Domain A, but log on to Domain B via the drop down menu at the windows logon screen, I AM able to get to the DC in Domain B. HOWEVER, when I try to click on a shared folder on the DC of Domain B, I get an "Access Denied error. the time doesn't match with the domain controler."
I am lost at this point and could really use some help.
raffie613Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

abhijitwaikarCommented:
This issue occurs due to incorrect trust configuration between the domains or the permission issue.

Verify both the trust between domains and the share and NTFS partition permissions are correctly configured for individual user or group access.

Regards,
Abhijit Waikar.
0
raffie613Author Commented:
Can you be any more specific?
If i log into domain b via vpn, i can access the share just fine so i do not think it is a permissions issue.

What aspect of the trust would cause this issue?
0
Radhakrishnan RSenior Technical LeadCommented:
Have you validated the trust? It's clearly indicates that the time of the server is different than the other DC. Try to set the correct time for this server and see. If it is time sync issue then try this.

w32tm /configure /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org",0x8 /syncfromflags:MANUAL
w32tm /config /update
net stop w32time
net start w32time
w32tm /resync /nowait

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync /rediscover


Save as bat file and run this onto the server and see whether time sync happening properly.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

abhijitwaikarCommented:
Check below link, thare is a good info accessing and controlling resources across domains:
http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx

Regards,
Abhijit Waikar.
0
SandeshdubeySenior Server EngineerCommented:
Is seems that the Timezone and time is different on the cleint PC.Check the time setting on the cleint PC as well as on the DC.Configure authorative time server:http://support.microsoft.com/kb/816042

Also check the network connectivity between the two domain.Check the trust relationship is configured correctly.Refer below links for the same
http://technet.microsoft.com/en-us/library/cc770299.aspx
http://technet.microsoft.com/en-us/library/bb727050.aspx
http://www.techrepublic.com/blog/datacenter/an-overview-of-the-active-directory-domains-and-trusts-console/414
0
raffie613Author Commented:
I ran this on the DC of each domain.
w32tm /config /manualpeerlist:pool.ntp.org

and got this as a result:

C:\Documents and Settings\rroleson>net time /querysntp
The current SNTP value is: pool.ntp.org
 
The command completed successfully.
 
C:\Documents and Settings\rroleson>w32tm /resync
Sending resync command to local computer...
The computer did not resync because no time data was available
0
SandeshdubeySenior Server EngineerCommented:
You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made will not take effect.

w32tm /config /manualpeerlist:pool.ntp.org,0x1

0
raffie613Author Commented:
So If my DNS name for my domain is contoso.localt then the command to run should be

w32tm /config /contoso.local,0x1

???

What about the commands that radhakrishnan2007 gave above?
Thanks.
0
abhijitwaikarCommented:
Trust Access error
Check below link, thare is a good info accessing and controlling resources across domains:
http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx

Time server configuration :
I ran this on the DC of each domain. w32tm /config /manualpeerlist:pool.ntp.org
Make sure that  PDC Emulator role owner in the forest root domain is the only authorative time server and other DC and WS should be sync with it.

Synching PDC emulator to an External Time Source
If you want to ensure that the clocks on your machines are more accurate in terms of absolute (and not just relative) time, you can sync the PDC Emulator in your forest root domain to one of the reliable time servers available on the Internet. This is a good idea if your company is a large enterprise with sites spanning several countries, or if your organization has two or more forests linked by forest trusts. The procedure for doing this on a PDC Emulator running Windows Server 2003 in the forest root domain is as follows. Open Registry Editor (regedit.exe) and configure the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

This registry entry determines which peers W32Time will accept synchronization from. Change this REG_SZ value from NT5DS to NTP so the PDC Emulator synchronizes from the list of reliable time servers specified in the NtpServer registry entry described below.

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

This registry entry controls whether the local computer is marked as a reliable time server (which is only possible if the previous registry entry is set to NTP as described above). Change this REG_DWORD value from 10 to 5 here.

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

This registry entry specifies a space-delimited list of stratum 1 time servers from which the local computer can obtain reliable time stamps. The list may consist of one or more DNS names or IP addresses (if DNS names are used then you must append ,0x1 to the end of each DNS name). For example, to synchronize the PDC Emulator in your forest root domain with tock.usno.navy.mil, an open-access SNTP time server run by the United States Naval Observatory, change the value of the NtpServer registry entry from time.windows.com,0x1 pool.ntp.org,0x1 to tock.usno.navy.mil,0x1 here. Alternatively, you can specify the IP address of this time server, which is 192.5.41.209 instead.

Now stop and restart the Windows Time service using the following commands:

net stop w32time

net start w32time

It may take an hour or so for the PDC Emulator to fully synchronize with the external time server because of the nature of the polling method W32Time uses. Depending on the latency of your Internet connection, the accuracy of the CMOS clock on your forest root PDC Emulator may be within a second or two of UTC. If you need more accurate time however, you can purchase a hardware time source like an atomic clock and connect it to your PDC emulator.

Alternatively, if you don’t want to wait for time convergence to occur between your stratum 2 time server (your forest root PDC Emulator) and the external stratum 1 time server, you can run the following command on your PDC Emulator:

w32tm /resync /rediscover.

Note: For other DC ans WS use NT5DS for Type registry Key and use PDC emulator IP or name,0x1 in NtpServer registry key, other steps are same.

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type  - NT5DS for clients.
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer - PDC emulator IP or name,0x1

both the server and the client are communicating with each other using the SNTP protocol which normally uses User Datagram Protocol (UDP) port 123 so make sure that its open on firewall.

You may refer below to configure an authoritative time server in Windows Server 2003:
http://www.windowsnetworking.com/articles_tutorials/configuring-windows-time-service.html

You may use Command line parameter:
run the w32tm command-line on the PEC emulator operation master to configure with synchronizing with the external time server regularly.

Ex. w32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update

/manualpeerlist:peers
Set the manual peer list to <peers>, which is a space-delimited list of DNS or IP address of the reliable external time server.

/syncfromflags:manual
Set what sources the NTP client should sync from.

/reliable:yes
Set this machine is a reliable time server

/update:
Set the time service configuration update.

2. For your concern about using Group Policy to alter the Windows Time Service on the PDC emulator, the authoritative Windows Time server cannot be changed with GPO on PDC emulator. However, you may use Group Policy to
make all the domain clients to sync time with the authoritative time server in the domain.

You can find the Group Policy settings used to configure W32Time in the Group Policy Object Editor snap-in in the following locations:
Configure Global Configuration Settings here.
Computer Configuration\Administrative Templates\System\Windows Time Service

Configure Windows NTP Client settings here.
Computer Configuration\Administrative Templates\System\Windows Time
Service\Time Providers

FYI: Windows Time Service Technical Reference
http://msdn2.microsoft.com/en-us/library/bb608215.aspx



0
SandeshdubeySenior Server EngineerCommented:
Refer this KB article of MS :http://support.microsoft.com/kb/816042 to configure authorative time source.
Once done restart the time service and open command prompt and type w32tm /resync /rediscover.
0
raffie613Author Commented:
ok,
Sandeshdubey:. Will running that "fix It" link do the same as what abhijitwaikar: told me to do?

Also, abhijitwaikar: I really do not have time to be going to each individual WS and changing registry keys. This is a large organization and I just need the time to synch so maybe it will fix my shared folder access error between the domain trusts.
0
abhijitwaikarCommented:
@raffie613:  Registry steps are not actually time consuming, Anyway I have already provided you command line steps also.

Run below command on PDC emulator role server in forest root domain to make authoritative:
w32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update

I really do not have time to be going to each individual WS and changing registry keys.
Time synchronization is very IMP in AD environment, Suggest you to manually set time config on PDC and you may use Group Policy to make all other domain clients to sync time with the authoritative time server in the domain, all information, how to configure time sync using CMD, REG and GPO are already provided you.

Regards,
Abhijit Waikar.
0
raffie613Author Commented:
@abhijitwaikar:
Is this the actual command I run on the DC FSMO role holder or do I enter my actual domain name here?
w32tm /config /manualpeerlist:time.windows.com0x1 /syncfromflags:manual /reliable:yes /update
update
Thanks.
0
abhijitwaikarCommented:
There are many external time sources, e.g. time.windows.com,0x1 pool.ntp.org,0x1 to tock.usno.navy.mil,0x1. Use any one of them on PDC FSMO role holder DC.

You may use below command as it is.
w32tm /config /manualpeerlist:time.windows.com0x1 /syncfromflags:manual /update

Regards,
Abhijit Waikar.
0
raffie613Author Commented:
ok, the time is now synched. However, we are still unable to access the shared folder on the trusted domain B, when loggin on from Domain A as a user that belongs to Domain B. We can see the server and folders in Explorerer, but when trying to access them ,we get access denied errors.
0
SandeshdubeySenior Server EngineerCommented:
It seems to be the permission issue.It is important to understand the  security group concepts before you begin the planning process.

Refer this KB Accessing resources across forests:http://technet.microsoft.com/en-us/library/cc772808(WS.10).aspx
0
raffie613Author Commented:
If it is a permissions issue, why are we able to access the folders when going through the vpn instead of the trust?
0
Radhakrishnan RSenior Technical LeadCommented:
From active directory domain and trust are you abe to validate the trust?
I believe that your trust is working in one way and just for clarification, have you added the dns zone to each other and is it loaded?
0
raffie613Author Commented:
Yes, trust is validated.
What do you mean by added the dns zone to eachother*
0
raffie613Author Commented:
here is a pic of the error I have now.
tciserverlogin-fromcomp.bmp
0
raffie613Author Commented:
treust are validated! What did you mean by adding the DNS zone to each other? You mean forward lookup zones? Done that.
0
raffie613Author Commented:
Is anyone still on this? Could really use some help or I have to call Microsoft support.
0
raffie613Author Commented:
radhakrishnan2007: You there?
What do you mean with the DNS zones?

ok then, I guess this one was out of everyone's league.
0
TheCleanerCommented:
I don't know where your problem lies at this point but I'll try to help you.

For the DNS part...my advice is to create conditional lookups in DNS for each of the respective domains.  See here:  http://www.windowsnetworking.com/articles_tutorials/dns_conditional_forwarding_in_windows_server_2003.html

Basically on domainA you'll have a conditional forwarder that says anything for domainb.com goes to domainB's DNS servers, and vice versa.

Then when you ping "serverA.domainB.com" from domain A you should get the proper response from the LAN IP in DomainB.

If you want shortname resolution, you'll need to modify the DNS suffix search lists for the clients, either through DHCP or script or GPO or similar and make sure both domain suffix's are in there.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.