Recently, our organization needed to set up a trusted domain for a branch system. We wanted to add the second domain to run segregated services, but did not want to stub the domain from the root. We ended up creating a second forest.
Microsoft has some great articles on creating a domain trust. I was all in all pretty simple. Adding users for services syncing (like exchange service sharing) was a great way to leverage SSO in the environment without having to add a second exchange server at the site.
One evening, late, I set up the domain trust over a IPSEC VPN link over the WAN through our Cisco firewall devices. I set up the conditional forwarder in the new DNS server so that names would be properly recognized on the old domain. I created a linked account as per the Microsoft recommendation. Tested the user and was pleasantly surprised how easy and simple it was.
I was a small deployment of 20 users.
Two days later, I was starting to roll out services to the new domain, getting things all sorted out, when I attempted to access OWA from the new domain. The linked users would fail with a bad username/password combo; while the old domain users could OWA just fine. Being that it was only 2 days previous that I was able to log in with these user accounts to OWA, I double checked all my work for inconsistencies.
WAN link.
IPSEC link.
Domain trust on both ends.
DNS forwarders/ conditional forwarding/ resolution.
User account passwords
Recreated the user accounts and linking them with new user objects in the old domain.
Nothing seemed to work.
I felt out of ideas. So I did what all good problem solvers did, I RDP’d into the local DC at the new domain and I just started poking around.
That’s when I saw it.
It was 6:02pm PST.
I looked at my phone clock. It was 4:02pm PST.
I checked the time on the old domain DC. It was 4:02pm PST.
You don’t want time sync issues on a domain. Your life will become terrible as users flood your system with tickets.
I set the time on the server to match the correct time, and I changed the registry settings of the new DC to have proper NTP settings. Doing this resolved my issue. Users were immediately allowed to log into OWA from the linked accounts.