Thursday, May 29, 2014

Windows Time Service event 46 - access denied

I recently worked on a case where a domain controller came online with its clock time several hours out of sync (virtualized DC).  In this case, when looking at the system log, during the service start up events, there was a critical error for the windows time service:

- <Event xmlns="">
- <System>
<Provider Name="Microsoft-Windows-Time-Service" Guid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" />
<TimeCreated SystemTime="2014-02-21T07:25:24.140175500Z" />
<Correlation />
<Execution ProcessID="452" ThreadID="3648" />
<Security UserID="S-1-5-19" />
<Data Name="ErrorMessage">0x80070005: Access is denied.</Data>

Googling around came up with some details that this error can occur when netlogon service is not started.  Going back to the log showed a Service Control Manager 7022 netlogon service hung during startup.  After a few weeks back and forth with microsoft with netlogon tracing and memory dumps, it just came down to the fact that there were a lot of subnets being processed.  The servers being effected by the slow netlogon startup were all low spec virtualized domain controllers, so they weren't going to perform at their best anyways.  During the service startup, all subnets must be read into memory, which can take a while.  There is also no registry tweaks or configuration changes to get around this...other than cleaning up subnets.  The one thing that we had thought of before the whole case was, if time service needs netlogon running for it to function, why isn't it configured with service dependencies.  Even though the OS doesn't do this by default, some registry hacking will allow you to add a DependsOnService value to the w32time service key to ensure netlogon is started before time service tries to start.  This can be pushed through GPO as well.  For a .REG file you can use this:

Windows Registry Editor Version 5.00


No comments:

Post a Comment