Errors Logging Into OWA on Trusted Domain

Recently, our organization needed to set up a trusted domain for a branch system. We wanted to add the second domain to run segregated services, but did not want to stub the domain from the root. We ended up creating a second forest.

 

Microsoft has some great articles on creating a domain trust. I was all in all pretty simple. Adding users for services syncing (like exchange service sharing) was a great way to leverage SSO in the environment without having to add a second exchange server at the site.

 

One evening, late, I set up the domain trust over a IPSEC VPN link over the WAN through our Cisco firewall devices. I set up the conditional forwarder in the new DNS server so that names would be properly recognized on the old domain. I created a linked account as per the Microsoft recommendation. Tested the user and was pleasantly surprised how easy and simple it was.

 

I was a small deployment of 20 users.

 

Two days later, I was starting to roll out services to the new domain, getting things all sorted out, when I attempted to access OWA from the new domain. The linked users would fail with a bad username/password combo; while the old domain users could OWA just fine. Being that it was only 2 days previous that I was able to log in with these user accounts to OWA, I double checked all my work for inconsistencies.

WAN link.

IPSEC link.

Domain trust on both ends.

DNS forwarders/ conditional forwarding/ resolution.

User account passwords

Recreated the user accounts and linking them with new user objects in the old domain.

 

Nothing seemed to work.

I felt out of ideas. So I did what all good problem solvers did, I RDP’d into the local DC at the new domain and I just started poking around.

That’s when I saw it.

It was 6:02pm PST.

I looked at my phone clock. It was 4:02pm PST.

I checked the time on the old domain DC. It was 4:02pm PST.

 

You don’t want time sync issues on a domain. Your life will become terrible as users flood your system with tickets.

 

I set the time on the server to match the correct time, and I changed the registry settings of the new DC to have proper NTP settings. Doing this resolved my issue. Users were immediately allowed to log into OWA from the linked accounts.