?
Solved

Trust Access error

Posted on 2011-10-04
26
Medium Priority
?
322 Views
Last Modified: 2012-05-12
I have two 2003 Domains that have a two way trust between them. When I am physically in Domain A, but log on to Domain B via the drop down menu at the windows logon screen, I AM able to get to the DC in Domain B. HOWEVER, when I try to click on a shared folder on the DC of Domain B, I get an "Access Denied error. the time doesn't match with the domain controler."
I am lost at this point and could really use some help.
0
Comment
Question by:raffie613
  • 12
  • 5
  • 4
  • +2
24 Comments
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36914699
This issue occurs due to incorrect trust configuration between the domains or the permission issue.

Verify both the trust between domains and the share and NTFS partition permissions are correctly configured for individual user or group access.

Regards,
Abhijit Waikar.
0
 

Author Comment

by:raffie613
ID: 36914733
Can you be any more specific?
If i log into domain b via vpn, i can access the share just fine so i do not think it is a permissions issue.

What aspect of the trust would cause this issue?
0
 
LVL 24

Expert Comment

by:Radhakrishnan R
ID: 36914737
Have you validated the trust? It's clearly indicates that the time of the server is different than the other DC. Try to set the correct time for this server and see. If it is time sync issue then try this.

w32tm /configure /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org",0x8 /syncfromflags:MANUAL
w32tm /config /update
net stop w32time
net start w32time
w32tm /resync /nowait

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync /rediscover


Save as bat file and run this onto the server and see whether time sync happening properly.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36914948
Check below link, thare is a good info accessing and controlling resources across domains:
http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx

Regards,
Abhijit Waikar.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36915634
Is seems that the Timezone and time is different on the cleint PC.Check the time setting on the cleint PC as well as on the DC.Configure authorative time server:http://support.microsoft.com/kb/816042

Also check the network connectivity between the two domain.Check the trust relationship is configured correctly.Refer below links for the same
http://technet.microsoft.com/en-us/library/cc770299.aspx
http://technet.microsoft.com/en-us/library/bb727050.aspx
http://www.techrepublic.com/blog/datacenter/an-overview-of-the-active-directory-domains-and-trusts-console/414
0
 

Author Comment

by:raffie613
ID: 36928046
I ran this on the DC of each domain.
w32tm /config /manualpeerlist:pool.ntp.org

and got this as a result:

C:\Documents and Settings\rroleson>net time /querysntp
The current SNTP value is: pool.ntp.org
 
The command completed successfully.
 
C:\Documents and Settings\rroleson>w32tm /resync
Sending resync command to local computer...
The computer did not resync because no time data was available
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36928221
You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made will not take effect.

w32tm /config /manualpeerlist:pool.ntp.org,0x1

0
 

Author Comment

by:raffie613
ID: 36928535
So If my DNS name for my domain is contoso.localt then the command to run should be

w32tm /config /contoso.local,0x1

???

What about the commands that radhakrishnan2007 gave above?
Thanks.
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36928544
Trust Access error
Check below link, thare is a good info accessing and controlling resources across domains:
http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx

Time server configuration :
I ran this on the DC of each domain. w32tm /config /manualpeerlist:pool.ntp.org
Make sure that  PDC Emulator role owner in the forest root domain is the only authorative time server and other DC and WS should be sync with it.

Synching PDC emulator to an External Time Source
If you want to ensure that the clocks on your machines are more accurate in terms of absolute (and not just relative) time, you can sync the PDC Emulator in your forest root domain to one of the reliable time servers available on the Internet. This is a good idea if your company is a large enterprise with sites spanning several countries, or if your organization has two or more forests linked by forest trusts. The procedure for doing this on a PDC Emulator running Windows Server 2003 in the forest root domain is as follows. Open Registry Editor (regedit.exe) and configure the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

This registry entry determines which peers W32Time will accept synchronization from. Change this REG_SZ value from NT5DS to NTP so the PDC Emulator synchronizes from the list of reliable time servers specified in the NtpServer registry entry described below.

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

This registry entry controls whether the local computer is marked as a reliable time server (which is only possible if the previous registry entry is set to NTP as described above). Change this REG_DWORD value from 10 to 5 here.

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

This registry entry specifies a space-delimited list of stratum 1 time servers from which the local computer can obtain reliable time stamps. The list may consist of one or more DNS names or IP addresses (if DNS names are used then you must append ,0x1 to the end of each DNS name). For example, to synchronize the PDC Emulator in your forest root domain with tock.usno.navy.mil, an open-access SNTP time server run by the United States Naval Observatory, change the value of the NtpServer registry entry from time.windows.com,0x1 pool.ntp.org,0x1 to tock.usno.navy.mil,0x1 here. Alternatively, you can specify the IP address of this time server, which is 192.5.41.209 instead.

Now stop and restart the Windows Time service using the following commands:

net stop w32time

net start w32time

It may take an hour or so for the PDC Emulator to fully synchronize with the external time server because of the nature of the polling method W32Time uses. Depending on the latency of your Internet connection, the accuracy of the CMOS clock on your forest root PDC Emulator may be within a second or two of UTC. If you need more accurate time however, you can purchase a hardware time source like an atomic clock and connect it to your PDC emulator.

Alternatively, if you don’t want to wait for time convergence to occur between your stratum 2 time server (your forest root PDC Emulator) and the external stratum 1 time server, you can run the following command on your PDC Emulator:

w32tm /resync /rediscover.

Note: For other DC ans WS use NT5DS for Type registry Key and use PDC emulator IP or name,0x1 in NtpServer registry key, other steps are same.

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type  - NT5DS for clients.
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer - PDC emulator IP or name,0x1

both the server and the client are communicating with each other using the SNTP protocol which normally uses User Datagram Protocol (UDP) port 123 so make sure that its open on firewall.

You may refer below to configure an authoritative time server in Windows Server 2003:
http://www.windowsnetworking.com/articles_tutorials/configuring-windows-time-service.html

You may use Command line parameter:
run the w32tm command-line on the PEC emulator operation master to configure with synchronizing with the external time server regularly.

Ex. w32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update

/manualpeerlist:peers
Set the manual peer list to <peers>, which is a space-delimited list of DNS or IP address of the reliable external time server.

/syncfromflags:manual
Set what sources the NTP client should sync from.

/reliable:yes
Set this machine is a reliable time server

/update:
Set the time service configuration update.

2. For your concern about using Group Policy to alter the Windows Time Service on the PDC emulator, the authoritative Windows Time server cannot be changed with GPO on PDC emulator. However, you may use Group Policy to
make all the domain clients to sync time with the authoritative time server in the domain.

You can find the Group Policy settings used to configure W32Time in the Group Policy Object Editor snap-in in the following locations:
Configure Global Configuration Settings here.
Computer Configuration\Administrative Templates\System\Windows Time Service

Configure Windows NTP Client settings here.
Computer Configuration\Administrative Templates\System\Windows Time
Service\Time Providers

FYI: Windows Time Service Technical Reference
http://msdn2.microsoft.com/en-us/library/bb608215.aspx



0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36928580
Refer this KB article of MS :http://support.microsoft.com/kb/816042 to configure authorative time source.
Once done restart the time service and open command prompt and type w32tm /resync /rediscover.
0
 

Author Comment

by:raffie613
ID: 36931105
ok,
Sandeshdubey:. Will running that "fix It" link do the same as what abhijitwaikar: told me to do?

Also, abhijitwaikar: I really do not have time to be going to each individual WS and changing registry keys. This is a large organization and I just need the time to synch so maybe it will fix my shared folder access error between the domain trusts.
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36931300
@raffie613:  Registry steps are not actually time consuming, Anyway I have already provided you command line steps also.

Run below command on PDC emulator role server in forest root domain to make authoritative:
w32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update

I really do not have time to be going to each individual WS and changing registry keys.
Time synchronization is very IMP in AD environment, Suggest you to manually set time config on PDC and you may use Group Policy to make all other domain clients to sync time with the authoritative time server in the domain, all information, how to configure time sync using CMD, REG and GPO are already provided you.

Regards,
Abhijit Waikar.
0
 

Author Comment

by:raffie613
ID: 36932707
@abhijitwaikar:
Is this the actual command I run on the DC FSMO role holder or do I enter my actual domain name here?
w32tm /config /manualpeerlist:time.windows.com0x1 /syncfromflags:manual /reliable:yes /update
update
Thanks.
0
 
LVL 10

Expert Comment

by:abhijitwaikar
ID: 36934566
There are many external time sources, e.g. time.windows.com,0x1 pool.ntp.org,0x1 to tock.usno.navy.mil,0x1. Use any one of them on PDC FSMO role holder DC.

You may use below command as it is.
w32tm /config /manualpeerlist:time.windows.com0x1 /syncfromflags:manual /update

Regards,
Abhijit Waikar.
0
 

Author Comment

by:raffie613
ID: 36951641
ok, the time is now synched. However, we are still unable to access the shared folder on the trusted domain B, when loggin on from Domain A as a user that belongs to Domain B. We can see the server and folders in Explorerer, but when trying to access them ,we get access denied errors.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36953528
It seems to be the permission issue.It is important to understand the  security group concepts before you begin the planning process.

Refer this KB Accessing resources across forests:http://technet.microsoft.com/en-us/library/cc772808(WS.10).aspx
0
 

Author Comment

by:raffie613
ID: 36953642
If it is a permissions issue, why are we able to access the folders when going through the vpn instead of the trust?
0
 
LVL 24

Expert Comment

by:Radhakrishnan R
ID: 36957125
From active directory domain and trust are you abe to validate the trust?
I believe that your trust is working in one way and just for clarification, have you added the dns zone to each other and is it loaded?
0
 

Author Comment

by:raffie613
ID: 36957550
Yes, trust is validated.
What do you mean by added the dns zone to eachother*
0
 

Author Comment

by:raffie613
ID: 36959265
here is a pic of the error I have now.
tciserverlogin-fromcomp.bmp
0
 

Author Comment

by:raffie613
ID: 36975111
treust are validated! What did you mean by adding the DNS zone to each other? You mean forward lookup zones? Done that.
0
 

Author Comment

by:raffie613
ID: 36977615
Is anyone still on this? Could really use some help or I have to call Microsoft support.
0
 

Author Comment

by:raffie613
ID: 36987458
radhakrishnan2007: You there?
What do you mean with the DNS zones?

ok then, I guess this one was out of everyone's league.
0
 
LVL 23

Accepted Solution

by:
TheCleaner earned 2000 total points
ID: 37002949
I don't know where your problem lies at this point but I'll try to help you.

For the DNS part...my advice is to create conditional lookups in DNS for each of the respective domains.  See here:  http://www.windowsnetworking.com/articles_tutorials/dns_conditional_forwarding_in_windows_server_2003.html

Basically on domainA you'll have a conditional forwarder that says anything for domainb.com goes to domainB's DNS servers, and vice versa.

Then when you ping "serverA.domainB.com" from domain A you should get the proper response from the LAN IP in DomainB.

If you want shortname resolution, you'll need to modify the DNS suffix search lists for the clients, either through DHCP or script or GPO or similar and make sure both domain suffix's are in there.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question