Time Sync between domains

[benowen187]

Ok this is an odd situation I’m in, but I need help! - We have 2 AD forests in our environment, 1 for testing and 1 for development. All the user accounts are located in the dev forest, with a forest trust relationship between the 2 domains so users can use their dev user account to logon and make changes in test. All worked perfectly.

The issue was that the test forest needed to be moved forward a month in time to September to test some procedures. So I made the relevant changes to stop the PDC emulator using NTP for its time source, changed its internal clock etc etc. And all the domain sprung forward 1 month. But the issue is now that the users cannot log in from the dev forest, the error they get is:

"the current time on this computer and the current time on the network are different"

Now I did expect this, as I know the threshold is 5 minutes for the clocks to be out to stop replay attacks. But this is configurable, so I changed the setting to exceed the 1 month that I have pushed the clocks forward.... but nothing, no one can still log in from the dev domain. Users in the test forest (admin accounts) are fine and they can log in no problem, but nothing from the dev forest.

I'm assuming that the "Maximum Tolerance For Computer Clock Synchronization" Kerberos setting doesn’t apply for cross forests? Or something along those lines?? - Has anyone else every seen this if so help!

Cheers

Ben