Already tried most of what you mentioned. Same error when using forestA account on the console of host.forestA.com box.
Scheduling remotely - same error. Nothing in event log and the sniffer does not even show Kerb traffic (I'll do more tests tomorrow, but meanwhile I was not successful at catching any authentication traffic between the host and DCs from either forest, but it could be the hour...). It looks like the API just fails and says: "Hey! I am not aware of the account domain you are trying to make me look at !" (tried ForestA\user, upn and kerb principal - same result) Tried both by IP and by hostname. The error I get: C:\>schtasks /Create /RU ForestA\administrator /RP "password" /SC Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X WARNING: The task name "test1" already exists. Do you want to replace it (Y/N)?y WARNING: The scheduled task "test1" has been created, but may not run because the account information could not be set. Clocks are synced and alright across the forests. The event logs are perfectly clean. Actually this is the only issue I have with the server (and it's ALL W2K3 member servers in the forestA that show this behavior). The strange thing that I have found right now is that the forestA DCs are immune to this weirdness (forestA accounts can be used to schedule jobs on forestA DCs). Guy On Wed, 2004-10-27 at 16:29 -0400, joe wrote: > I have to say that seems to be a weird one... But I am glad that cpau helps > it work for you. :o) > > Are you doing this remotely? What happens if you sit down on > host.forestA.com with a forestA userid and try to schedule the task? > Also > can you try to schedule it remotely with just the IP address? If that works, > the issue is probably somewhere in kerberos and I would start looking for > ker errors and verify SPN's are properly registered and time between the > machines is correct, etc. > > joe > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky > Sent: Wednesday, October 27, 2004 3:11 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] A weird one (or Joeware vs. MS) > > Here is a weird one: > 2 forests with one way forest trusts: > forestA.com trusts forestB.com > > I try to schedule a a task on host.forestA.com with account FORESTA\user > (tried everything up to member of Enterprise Admins, Domain Admins, > BUILTIN\Administrators) and I get "0x80070005 Access Denied" error - bad > credentials, when submitting the task (tried both GUI and schdtasks.exe) The > same task can be scheduled using CHILD_OF_FORESTB\user account (notice that > the host is in forestA and forestB accounts are OK, but it's own accounts > are denied). > Local machine's accounts are also fine - the problem is only with host's > forest accounts. > > This happens on all W2K3 servers and ONLY on W2K3 (XP, W2K are fine). > > Wrapping the same task with joe's CPAU resolves the issue and the task is > executed correctly. > > I tried to sniff the traffic, but it looks like the task scheduler does not > even try to authenticate the forestA accounts. > > In our test environment the scheduled tasks do work as expected, but there > we currently have 2-way forest trust and some other things not yet > implemented in production, so I can not rely on the test environment > regarding this issue. > > I am starting to run out of ideas here... > > Guy > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
