Trust Access error

This issue occurs due to incorrect trust configuration between the domains or the permission issue.

Verify both the trust between domains and the share and NTFS partition permissions are correctly configured for individual user or group access.

Regards,
Abhijit Waikar.

Can you be any more specific?
If i log into domain b via vpn, i can access the share just fine so i do not think it is a permissions issue.

What aspect of the trust would cause this issue?

Have you validated the trust? It's clearly indicates that the time of the server is different than the other DC. Try to set the correct time for this server and see. If it is time sync issue then try this.

w32tm /configure /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org",0x8 /syncfromflags:MANUAL
w32tm /config /update
net stop w32time
net start w32time
w32tm /resync /nowait

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync /rediscover


Save as bat file and run this onto the server and see whether time sync happening properly.

Check below link, thare is a good info accessing and controlling resources across domains:
http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx

Regards,
Abhijit Waikar.

Is seems that the Timezone and time is different on the cleint PC.Check the time setting on the cleint PC as well as on the DC.Configure authorative time server:http://support.microsoft.com/kb/816042

Also check the network connectivity between the two domain.Check the trust relationship is configured correctly.Refer below links for the same
http://technet.microsoft.com/en-us/library/cc770299.aspx
http://technet.microsoft.com/en-us/library/bb727050.aspx
http://www.techrepublic.com/blog/datacenter/an-overview-of-the-active-directory-domains-and-trusts-console/414

I ran this on the DC of each domain.
w32tm /config /manualpeerlist:pool.ntp.org

and got this as a result:

C:\Documents and Settings\rroleson>net time /querysntp
The current SNTP value is: pool.ntp.org
 
The command completed successfully.
 
C:\Documents and Settings\rroleson>w32tm /resync
Sending resync command to local computer...
The computer did not resync because no time data was available

You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made will not take effect.

w32tm /config /manualpeerlist:pool.ntp.org,0x1

So If my DNS name for my domain is contoso.localt then the command to run should be

w32tm /config /contoso.local,0x1

???

What about the commands that radhakrishnan2007 gave above?
Thanks.

Trust Access error
Check below link, thare is a good info accessing and controlling resources across domains:
http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx

Time server configuration :
I ran this on the DC of each domain. w32tm /config /manualpeerlist:pool.ntp.org
Make sure that  PDC Emulator role owner in the forest root domain is the only authorative time server and other DC and WS should be sync with it.

Synching PDC emulator to an External Time Source
If you want to ensure that the clocks on your machines are more accurate in terms of absolute (and not just relative) time, you can sync the PDC Emulator in your forest root domain to one of the reliable time servers available on the Internet. This is a good idea if your company is a large enterprise with sites spanning several countries, or if your organization has two or more forests linked by forest trusts. The procedure for doing this on a PDC Emulator running Windows Server 2003 in the forest root domain is as follows. Open Registry Editor (regedit.exe) and configure the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

This registry entry determines which peers W32Time will accept synchronization from. Change this REG_SZ value from NT5DS to NTP so the PDC Emulator synchronizes from the list of reliable time servers specified in the NtpServer registry entry described below.

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

This registry entry controls whether the local computer is marked as a reliable time server (which is only possible if the previous registry entry is set to NTP as described above). Change this REG_DWORD value from 10 to 5 here.

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

This registry entry specifies a space-delimited list of stratum 1 time servers from which the local computer can obtain reliable time stamps. The list may consist of one or more DNS names or IP addresses (if DNS names are used then you must append ,0x1 to the end of each DNS name). For example, to synchronize the PDC Emulator in your forest root domain with tock.usno.navy.mil, an open-access SNTP time server run by the United States Naval Observatory, change the value of the NtpServer registry entry from time.windows.com,0x1 pool.ntp.org,0x1 to tock.usno.navy.mil,0x1 here. Alternatively, you can specify the IP address of this time server, which is 192.5.41.209 instead.

Now stop and restart the Windows Time service using the following commands:

net stop w32time

net start w32time

It may take an hour or so for the PDC Emulator to fully synchronize with the external time server because of the nature of the polling method W32Time uses. Depending on the latency of your Internet connection, the accuracy of the CMOS clock on your forest root PDC Emulator may be within a second or two of UTC. If you need more accurate time however, you can purchase a hardware time source like an atomic clock and connect it to your PDC emulator.

Alternatively, if you don’t want to wait for time convergence to occur between your stratum 2 time server (your forest root PDC Emulator) and the external stratum 1 time server, you can run the following command on your PDC Emulator:

w32tm /resync /rediscover.

Note: For other DC ans WS use NT5DS for Type registry Key and use PDC emulator IP or name,0x1 in NtpServer registry key, other steps are same.

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type  - NT5DS for clients.
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer - PDC emulator IP or name,0x1

both the server and the client are communicating with each other using the SNTP protocol which normally uses User Datagram Protocol (UDP) port 123 so make sure that its open on firewall.

You may refer below to configure an authoritative time server in Windows Server 2003:
http://www.windowsnetworking.com/articles_tutorials/configuring-windows-time-service.html

You may use Command line parameter:
run the w32tm command-line on the PEC emulator operation master to configure with synchronizing with the external time server regularly.

Ex. w32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update

/manualpeerlist:peers
Set the manual peer list to <peers>, which is a space-delimited list of DNS or IP address of the reliable external time server.

/syncfromflags:manual
Set what sources the NTP client should sync from.

/reliable:yes
Set this machine is a reliable time server

/update:
Set the time service configuration update.

2. For your concern about using Group Policy to alter the Windows Time Service on the PDC emulator, the authoritative Windows Time server cannot be changed with GPO on PDC emulator. However, you may use Group Policy to
make all the domain clients to sync time with the authoritative time server in the domain.

You can find the Group Policy settings used to configure W32Time in the Group Policy Object Editor snap-in in the following locations:
Configure Global Configuration Settings here.
Computer Configuration\Administrative Templates\System\Windows Time Service

Configure Windows NTP Client settings here.
Computer Configuration\Administrative Templates\System\Windows Time
Service\Time Providers

FYI: Windows Time Service Technical Reference
http://msdn2.microsoft.com/en-us/library/bb608215.aspx

Refer this KB article of MS :http://support.microsoft.com/kb/816042 to configure authorative time source.
Once done restart the time service and open command prompt and type w32tm /resync /rediscover.

ok,
Sandeshdubey:. Will running that "fix It" link do the same as what abhijitwaikar: told me to do?

Also, abhijitwaikar: I really do not have time to be going to each individual WS and changing registry keys. This is a large organization and I just need the time to synch so maybe it will fix my shared folder access error between the domain trusts.

@raffie613:  Registry steps are not actually time consuming, Anyway I have already provided you command line steps also.

Run below command on PDC emulator role server in forest root domain to make authoritative:
w32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update

I really do not have time to be going to each individual WS and changing registry keys.
Time synchronization is very IMP in AD environment, Suggest you to manually set time config on PDC and you may use Group Policy to make all other domain clients to sync time with the authoritative time server in the domain, all information, how to configure time sync using CMD, REG and GPO are already provided you.

Regards,
Abhijit Waikar.

@abhijitwaikar:
Is this the actual command I run on the DC FSMO role holder or do I enter my actual domain name here?
w32tm /config /manualpeerlist:time.windows.com0x1 /syncfromflags:manual /reliable:yes /update
update
Thanks.

There are many external time sources, e.g. time.windows.com,0x1 pool.ntp.org,0x1 to tock.usno.navy.mil,0x1. Use any one of them on PDC FSMO role holder DC.

You may use below command as it is.
w32tm /config /manualpeerlist:time.windows.com0x1 /syncfromflags:manual /update

Regards,
Abhijit Waikar.

ok, the time is now synched. However, we are still unable to access the shared folder on the trusted domain B, when loggin on from Domain A as a user that belongs to Domain B. We can see the server and folders in Explorerer, but when trying to access them ,we get access denied errors.

It seems to be the permission issue.It is important to understand the  security group concepts before you begin the planning process.

Refer this KB Accessing resources across forests:http://technet.microsoft.com/en-us/library/cc772808(WS.10).aspx

If it is a permissions issue, why are we able to access the folders when going through the vpn instead of the trust?

From active directory domain and trust are you abe to validate the trust?
I believe that your trust is working in one way and just for clarification, have you added the dns zone to each other and is it loaded?

Yes, trust is validated.
What do you mean by added the dns zone to eachother*

here is a pic of the error I have now.
tciserverlogin-fromcomp.bmp

treust are validated! What did you mean by adding the DNS zone to each other? You mean forward lookup zones? Done that.

Is anyone still on this? Could really use some help or I have to call Microsoft support.

radhakrishnan2007: You there?
What do you mean with the DNS zones?

ok then, I guess this one was out of everyone's league.