raffie613
asked on
Trust Access error
I have two 2003 Domains that have a two way trust between them. When I am physically in Domain A, but log on to Domain B via the drop down menu at the windows logon screen, I AM able to get to the DC in Domain B. HOWEVER, when I try to click on a shared folder on the DC of Domain B, I get an "Access Denied error. the time doesn't match with the domain controler."
I am lost at this point and could really use some help.
I am lost at this point and could really use some help.
Last Comment
ASKER
Can you be any more specific?
If i log into domain b via vpn, i can access the share just fine so i do not think it is a permissions issue.
What aspect of the trust would cause this issue?
If i log into domain b via vpn, i can access the share just fine so i do not think it is a permissions issue.
What aspect of the trust would cause this issue?
Have you validated the trust? It's clearly indicates that the time of the server is different than the other DC. Try to set the correct time for this server and see. If it is time sync issue then try this.
w32tm /configure /manualpeerlist:"0.pool.nt
w32tm /config /update
net stop w32time
net start w32time
w32tm /resync /nowait
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync /rediscover
Save as bat file and run this onto the server and see whether time sync happening properly.
w32tm /configure /manualpeerlist:"0.pool.nt
w32tm /config /update
net stop w32time
net start w32time
w32tm /resync /nowait
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync /rediscover
Save as bat file and run this onto the server and see whether time sync happening properly.
Check below link, thare is a good info accessing and controlling resources across domains:
http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx
Regards,
Abhijit Waikar.
http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx
Regards,
Abhijit Waikar.
Is seems that the Timezone and time is different on the cleint PC.Check the time setting on the cleint PC as well as on the DC.Configure authorative time server:http://support.microsoft.com/kb/816042
Also check the network connectivity between the two domain.Check the trust relationship is configured correctly.Refer below links for the same
http://technet.microsoft.com/en-us/library/cc770299.aspx
http://technet.microsoft.com/en-us/library/bb727050.aspx
http://www.techrepublic.com/blog/datacenter/an-overview-of-the-active-directory-domains-and-trusts-console/414
Also check the network connectivity between the two domain.Check the trust relationship is configured correctly.Refer below links for the same
http://technet.microsoft.com/en-us/library/cc770299.aspx
http://technet.microsoft.com/en-us/library/bb727050.aspx
http://www.techrepublic.com/blog/datacenter/an-overview-of-the-active-directory-domains-and-trusts-console/414
ASKER
I ran this on the DC of each domain.
w32tm /config /manualpeerlist:pool.ntp.o
and got this as a result:
C:\Documents and Settings\rroleson>net time /querysntp
The current SNTP value is: pool.ntp.org
The command completed successfully.
C:\Documents and Settings\rroleson>w32tm /resync
Sending resync command to local computer...
The computer did not resync because no time data was available
w32tm /config /manualpeerlist:pool.ntp.o
and got this as a result:
C:\Documents and Settings\rroleson>net time /querysntp
The current SNTP value is: pool.ntp.org
The command completed successfully.
C:\Documents and Settings\rroleson>w32tm /resync
Sending resync command to local computer...
The computer did not resync because no time data was available
You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made will not take effect.
w32tm /config /manualpeerlist:pool.ntp.o
w32tm /config /manualpeerlist:pool.ntp.o
ASKER
So If my DNS name for my domain is contoso.localt then the command to run should be
w32tm /config /contoso.local,0x1
???
What about the commands that radhakrishnan2007 gave above?
Thanks.
w32tm /config /contoso.local,0x1
???
What about the commands that radhakrishnan2007 gave above?
Thanks.
Trust Access error
Check below link, thare is a good info accessing and controlling resources across domains:
http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx
Time server configuration :
I ran this on the DC of each domain. w32tm /config /manualpeerlist:pool.ntp.o
Make sure that PDC Emulator role owner in the forest root domain is the only authorative time server and other DC and WS should be sync with it.
Synching PDC emulator to an External Time Source
If you want to ensure that the clocks on your machines are more accurate in terms of absolute (and not just relative) time, you can sync the PDC Emulator in your forest root domain to one of the reliable time servers available on the Internet. This is a good idea if your company is a large enterprise with sites spanning several countries, or if your organization has two or more forests linked by forest trusts. The procedure for doing this on a PDC Emulator running Windows Server 2003 in the forest root domain is as follows. Open Registry Editor (regedit.exe) and configure the following registry entries:
HKLM\SYSTEM\CurrentControl
This registry entry determines which peers W32Time will accept synchronization from. Change this REG_SZ value from NT5DS to NTP so the PDC Emulator synchronizes from the list of reliable time servers specified in the NtpServer registry entry described below.
HKLM\SYSTEM\CurrentControl
This registry entry controls whether the local computer is marked as a reliable time server (which is only possible if the previous registry entry is set to NTP as described above). Change this REG_DWORD value from 10 to 5 here.
HKLM\SYSTEM\CurrentControl
This registry entry specifies a space-delimited list of stratum 1 time servers from which the local computer can obtain reliable time stamps. The list may consist of one or more DNS names or IP addresses (if DNS names are used then you must append ,0x1 to the end of each DNS name). For example, to synchronize the PDC Emulator in your forest root domain with tock.usno.navy.mil, an open-access SNTP time server run by the United States Naval Observatory, change the value of the NtpServer registry entry from time.windows.com,0x1 pool.ntp.org,0x1 to tock.usno.navy.mil,0x1 here. Alternatively, you can specify the IP address of this time server, which is 192.5.41.209 instead.
Now stop and restart the Windows Time service using the following commands:
net stop w32time
net start w32time
It may take an hour or so for the PDC Emulator to fully synchronize with the external time server because of the nature of the polling method W32Time uses. Depending on the latency of your Internet connection, the accuracy of the CMOS clock on your forest root PDC Emulator may be within a second or two of UTC. If you need more accurate time however, you can purchase a hardware time source like an atomic clock and connect it to your PDC emulator.
Alternatively, if you don’t want to wait for time convergence to occur between your stratum 2 time server (your forest root PDC Emulator) and the external stratum 1 time server, you can run the following command on your PDC Emulator:
w32tm /resync /rediscover.
Note: For other DC ans WS use NT5DS for Type registry Key and use PDC emulator IP or name,0x1 in NtpServer registry key, other steps are same.
HKLM\SYSTEM\CurrentControl
HKLM\SYSTEM\CurrentControl
both the server and the client are communicating with each other using the SNTP protocol which normally uses User Datagram Protocol (UDP) port 123 so make sure that its open on firewall.
You may refer below to configure an authoritative time server in Windows Server 2003:
http://www.windowsnetworking.com/articles_tutorials/configuring-windows-time-service.html
You may use Command line parameter:
run the w32tm command-line on the PEC emulator operation master to configure with synchronizing with the external time server regularly.
Ex. w32tm /config /manualpeerlist:time.windo
/manualpeerlist:peers
Set the manual peer list to <peers>, which is a space-delimited list of DNS or IP address of the reliable external time server.
/syncfromflags:manual
Set what sources the NTP client should sync from.
/reliable:yes
Set this machine is a reliable time server
/update:
Set the time service configuration update.
2. For your concern about using Group Policy to alter the Windows Time Service on the PDC emulator, the authoritative Windows Time server cannot be changed with GPO on PDC emulator. However, you may use Group Policy to
make all the domain clients to sync time with the authoritative time server in the domain.
You can find the Group Policy settings used to configure W32Time in the Group Policy Object Editor snap-in in the following locations:
Configure Global Configuration Settings here.
Computer Configuration\Administrati
Configure Windows NTP Client settings here.
Computer Configuration\Administrati
Service\Time Providers
FYI: Windows Time Service Technical Reference
http://msdn2.microsoft.com/en-us/library/bb608215.aspx
Check below link, thare is a good info accessing and controlling resources across domains:
http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx
Time server configuration :
I ran this on the DC of each domain. w32tm /config /manualpeerlist:pool.ntp.o
Make sure that PDC Emulator role owner in the forest root domain is the only authorative time server and other DC and WS should be sync with it.
Synching PDC emulator to an External Time Source
If you want to ensure that the clocks on your machines are more accurate in terms of absolute (and not just relative) time, you can sync the PDC Emulator in your forest root domain to one of the reliable time servers available on the Internet. This is a good idea if your company is a large enterprise with sites spanning several countries, or if your organization has two or more forests linked by forest trusts. The procedure for doing this on a PDC Emulator running Windows Server 2003 in the forest root domain is as follows. Open Registry Editor (regedit.exe) and configure the following registry entries:
HKLM\SYSTEM\CurrentControl
This registry entry determines which peers W32Time will accept synchronization from. Change this REG_SZ value from NT5DS to NTP so the PDC Emulator synchronizes from the list of reliable time servers specified in the NtpServer registry entry described below.
HKLM\SYSTEM\CurrentControl
This registry entry controls whether the local computer is marked as a reliable time server (which is only possible if the previous registry entry is set to NTP as described above). Change this REG_DWORD value from 10 to 5 here.
HKLM\SYSTEM\CurrentControl
This registry entry specifies a space-delimited list of stratum 1 time servers from which the local computer can obtain reliable time stamps. The list may consist of one or more DNS names or IP addresses (if DNS names are used then you must append ,0x1 to the end of each DNS name). For example, to synchronize the PDC Emulator in your forest root domain with tock.usno.navy.mil, an open-access SNTP time server run by the United States Naval Observatory, change the value of the NtpServer registry entry from time.windows.com,0x1 pool.ntp.org,0x1 to tock.usno.navy.mil,0x1 here. Alternatively, you can specify the IP address of this time server, which is 192.5.41.209 instead.
Now stop and restart the Windows Time service using the following commands:
net stop w32time
net start w32time
It may take an hour or so for the PDC Emulator to fully synchronize with the external time server because of the nature of the polling method W32Time uses. Depending on the latency of your Internet connection, the accuracy of the CMOS clock on your forest root PDC Emulator may be within a second or two of UTC. If you need more accurate time however, you can purchase a hardware time source like an atomic clock and connect it to your PDC emulator.
Alternatively, if you don’t want to wait for time convergence to occur between your stratum 2 time server (your forest root PDC Emulator) and the external stratum 1 time server, you can run the following command on your PDC Emulator:
w32tm /resync /rediscover.
Note: For other DC ans WS use NT5DS for Type registry Key and use PDC emulator IP or name,0x1 in NtpServer registry key, other steps are same.
HKLM\SYSTEM\CurrentControl
HKLM\SYSTEM\CurrentControl
both the server and the client are communicating with each other using the SNTP protocol which normally uses User Datagram Protocol (UDP) port 123 so make sure that its open on firewall.
You may refer below to configure an authoritative time server in Windows Server 2003:
http://www.windowsnetworking.com/articles_tutorials/configuring-windows-time-service.html
You may use Command line parameter:
run the w32tm command-line on the PEC emulator operation master to configure with synchronizing with the external time server regularly.
Ex. w32tm /config /manualpeerlist:time.windo
/manualpeerlist:peers
Set the manual peer list to <peers>, which is a space-delimited list of DNS or IP address of the reliable external time server.
/syncfromflags:manual
Set what sources the NTP client should sync from.
/reliable:yes
Set this machine is a reliable time server
/update:
Set the time service configuration update.
2. For your concern about using Group Policy to alter the Windows Time Service on the PDC emulator, the authoritative Windows Time server cannot be changed with GPO on PDC emulator. However, you may use Group Policy to
make all the domain clients to sync time with the authoritative time server in the domain.
You can find the Group Policy settings used to configure W32Time in the Group Policy Object Editor snap-in in the following locations:
Configure Global Configuration Settings here.
Computer Configuration\Administrati
Configure Windows NTP Client settings here.
Computer Configuration\Administrati
Service\Time Providers
FYI: Windows Time Service Technical Reference
http://msdn2.microsoft.com/en-us/library/bb608215.aspx
Refer this KB article of MS :http://support.microsoft.com/kb/816042 to configure authorative time source.
Once done restart the time service and open command prompt and type w32tm /resync /rediscover.
Once done restart the time service and open command prompt and type w32tm /resync /rediscover.
ASKER
ok,
Sandeshdubey:. Will running that "fix It" link do the same as what abhijitwaikar: told me to do?
Also, abhijitwaikar: I really do not have time to be going to each individual WS and changing registry keys. This is a large organization and I just need the time to synch so maybe it will fix my shared folder access error between the domain trusts.
Sandeshdubey:. Will running that "fix It" link do the same as what abhijitwaikar: told me to do?
Also, abhijitwaikar: I really do not have time to be going to each individual WS and changing registry keys. This is a large organization and I just need the time to synch so maybe it will fix my shared folder access error between the domain trusts.
@raffie613: Registry steps are not actually time consuming, Anyway I have already provided you command line steps also.
Run below command on PDC emulator role server in forest root domain to make authoritative:
w32tm /config /manualpeerlist:time.windo
I really do not have time to be going to each individual WS and changing registry keys.
Time synchronization is very IMP in AD environment, Suggest you to manually set time config on PDC and you may use Group Policy to make all other domain clients to sync time with the authoritative time server in the domain, all information, how to configure time sync using CMD, REG and GPO are already provided you.
Regards,
Abhijit Waikar.
Run below command on PDC emulator role server in forest root domain to make authoritative:
w32tm /config /manualpeerlist:time.windo
I really do not have time to be going to each individual WS and changing registry keys.
Time synchronization is very IMP in AD environment, Suggest you to manually set time config on PDC and you may use Group Policy to make all other domain clients to sync time with the authoritative time server in the domain, all information, how to configure time sync using CMD, REG and GPO are already provided you.
Regards,
Abhijit Waikar.
ASKER
@abhijitwaikar:
Is this the actual command I run on the DC FSMO role holder or do I enter my actual domain name here?
w32tm /config /manualpeerlist:time.windo
update
Thanks.
Is this the actual command I run on the DC FSMO role holder or do I enter my actual domain name here?
w32tm /config /manualpeerlist:time.windo
update
Thanks.
There are many external time sources, e.g. time.windows.com,0x1 pool.ntp.org,0x1 to tock.usno.navy.mil,0x1. Use any one of them on PDC FSMO role holder DC.
You may use below command as it is.
w32tm /config /manualpeerlist:time.windo
Regards,
Abhijit Waikar.
You may use below command as it is.
w32tm /config /manualpeerlist:time.windo
Regards,
Abhijit Waikar.
ASKER
ok, the time is now synched. However, we are still unable to access the shared folder on the trusted domain B, when loggin on from Domain A as a user that belongs to Domain B. We can see the server and folders in Explorerer, but when trying to access them ,we get access denied errors.
It seems to be the permission issue.It is important to understand the security group concepts before you begin the planning process.
Refer this KB Accessing resources across forests:http://technet.microsoft.com/en-us/library/cc772808(WS.10).aspx
Refer this KB Accessing resources across forests:http://technet.microsoft.com/en-us/library/cc772808(WS.10).aspx
ASKER
If it is a permissions issue, why are we able to access the folders when going through the vpn instead of the trust?
From active directory domain and trust are you abe to validate the trust?
I believe that your trust is working in one way and just for clarification, have you added the dns zone to each other and is it loaded?
I believe that your trust is working in one way and just for clarification, have you added the dns zone to each other and is it loaded?
ASKER
Yes, trust is validated.
What do you mean by added the dns zone to eachother*
What do you mean by added the dns zone to eachother*
ASKER
here is a pic of the error I have now.
tciserverlogin-fromcomp.bmp
tciserverlogin-fromcomp.bmp
ASKER
treust are validated! What did you mean by adding the DNS zone to each other? You mean forward lookup zones? Done that.
ASKER
Is anyone still on this? Could really use some help or I have to call Microsoft support.
ASKER
radhakrishnan2007: You there?
What do you mean with the DNS zones?
ok then, I guess this one was out of everyone's league.
What do you mean with the DNS zones?
ok then, I guess this one was out of everyone's league.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Windows Server 2003
Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).
129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Verify both the trust between domains and the share and NTFS partition permissions are correctly configured for individual user or group access.
Regards,
Abhijit Waikar.