question

neuropathy avatar image
0 Votes"
neuropathy asked DaisyZhou-MSFT answered

New Users Can't Access Some Network Locations - Sync Time Server?

Hello,

I have Windows Server 2016 for users. I'm also using Server 2012 for Active Directory. I've set all the usual permissions required to allow a new user to access a network location, and, I've added the user to the Active Directory group that should allow them access.

However, the new users are unable to access the network drive. The old users are able to access the drives they already had access to, but can't access new locations they've recently been given permission.

I've tried everything I can think of - something else is probably wrong now.

The other day, I tried to connect to the 2012 Server (Active Directory) using the hostname and got an error that mentioned that time sync could be off, or was out of sync. It allowed me to connect using the IP address instead of the hostname. Now, it's allowing me to connect using the hostname again. I've tried restarting all of the servers.

I'm wondering if it's the time synchronization between the two servers? The clock shows the same time, but I'd like to know if this could still be the issue? From what I've read online, it seems like this can cause the problem I'm experiencing.

Are these instructions still relevant? https://techlibrary.hpe.com/docs/otlink-wo/How-to-Configure-a-Local-NTP-Server.html

In Command Prompt, I used "w32tm /query /configuration /verbose"

Server 2012 shows Ntp Server: pool.ntp.org (Local)
Server 2016 shows Ntp Server: (Local)

I would appreciate any help.

Thank you

windows-server-2016windows-server-2012
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @neuropathy,

How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @neuropathy,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered neuropathy commented

Hello @neuropathy,

Thank you for posting here.

To better understand your question, please confirm the following information at your convenience:

1.Based on "However, the new users are unable to access the network drive.", what error message did you receive?

2.Based on "The old users are able to access the drives they already had access to, but can't access new locations they've recently been given permission.", what error message did you receive?

3.Based on "Now, it's allowing me to connect using the hostname again. I've tried restarting all of the servers.", are the new users able to access the network drive now? Are old users able to access the drives they already had access to and new locations they've recently been given permission now?

4.Based on "However, the new users are unable to access the network drive. The old users are able to access the drives they already had access to, but can't access new locations they've recently been given permission.", are all the new users and old users you mentioned domain users?
Are old network drive and new network drive shared folder on 2012 Domain Controller or on Windows Server 2016?

5.Are Windows server 2012 Domain Controller and Windows Server 2016 physical machine or virtual machine?


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @DaisyZhou-MSFT

Thank you for your response.

  1. "Windows cannot access \\FileServer\NetworkDrive\ - you do not have permission to access \\FileServer\NetworkDrive\ . Contact your network administrator to request access" - I have set the correct permissions... I have read that it's possible this is due to a time server out of sync issue between the different servers...

  2. Same message as above


  3. I cannot grant access to certain network drives for new users anymore... It seems that old users can still access these locations.


  4. All users are domain users.


  5. Both servers are virtual machines running on different server hardware

Thank you,
Neuro


0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @neuropathy,

Thank you for your update.

If now the issue does not appear, we can keep monitoring.

If the issue appears again one day, please check the time on DC and file server (if the time is the same or not).

If the issue appears again one day and the time on both servers is not the same. We can configure time sync in the domain as below.


Method 1 Registry configuration

===PDC===

(If it’s a virtual machine, set the first one entry, but don’t set this one entry if it’s not a virtual machine. )

HLM\SYSTEM\CurrentControlSet\services\w32time\TimeProviders\VMICTimeProvider
Name: Enabled
Type: REG_DWORD
Data:0

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Key Name: AnnounceFlags
Type: REG_DWORD (DWORD Value )
Data: 0x5

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
Key Name: Type
Type: REG_SZ(String Value)
Data: NTP


Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Key Name: NtpServer
Type: REG_SZ(String Value)
Data: Peers (time.windows.com,0x9)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
Key Name: Enabled
Type: REG_DWORD
Data: 1


===Other DCs and clients and member servers===
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
Key Name: Type
Type: REG_SZ(String Value)
Data: NT5DS


Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Key Name: AnnounceFlags
Type: REG_DWORD (DWORD Value )
Data: 0xa




Method 2 GPO configuration

===PDC===
Computer Configuration\Policies\Administration Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Client

Computer Configuration\Policies\Administration Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client==>Type as “NTP”


===Other DCs and clients and member servers===
Computer Configuration\Policies\Administration Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client==> Type as "NT5DS"



Tips:
1.Make sure that the UDP port 123 is open.
2.Be able to ping the NTP time server.

References:
https://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773013(v=ws.10)?redirectedfrom=MSDN

https://docs.microsoft.com/zh-cn/archive/blogs/nepapfe/its-simple-time-configuration-in-active-directory


Hope the information above is helpful.


Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.