Microsoft KB Archive/932462

= After you upgrade a domain controller to Windows Server 2003 SP1, the Windows Time Synchronization service does not start, and event ID 46 is logged =

Article ID: 932462

Article Last Modified on 2/21/2007

-

APPLIES TO


 * Microsoft Windows Server 2003 Service Pack 1, when used with:
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)

-



SYMPTOMS
After you upgrade a Microsoft Windows Server 2003-based domain controller to Windows Server 2003 Service Pack 1 (SP1), the Windows Time Synchronization service (W32Time) does not start as expected. Additionally, the following event is logged in the System log:

Type: Error

Date:

Time:

Event ID: 46

Source: W32Time

User: N/A

Computer:

Description:

An attempt was made to logon, but the network logon service was not started. The error was: 0x80070700

In this situation, the Netlogon service still starts successfully.

Notes
 * This issue occurs on computers that are upgraded to Windows Server 2003 from an earlier version of Windows.
 * This issue also occurs if you use National Security Agency (NSA) templates or if you use templates that are included in the Windows Server 2003 Security Guide.



CAUSE
This issue occurs if incorrect permissions are applied to the Net Logon service in Group Policy.

Windows Server 2003 SP1 changes the startup configuration of the Windows Time service from the LOCAL SYSTEM account to the LOCAL SERVICE account.



RESOLUTION
To resolve this issue, assign the &quot;Full control&quot; permission over the Netlogon service to the LOCAL SERVICE account. To do this, follow these steps:
 * 1) Click Start, click Run, type rsop.msc in the Open box, and then click OK.
 * 2) Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click System Services.
 * 3) In the right pane, locate the Group Policy setting that is applied to the Net Logon service.

Note Typically, this setting is the default domain policy that is applied to this service.
 * 1) Use the Active Directory Users and Computers MMC snap-in or the Group Policy MMC snap-in to edit the Group Policy setting that you noted in step 3.
 * 2) Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click System Services.
 * 3) In the Service Name column, double-click Net Logon.
 * 4) Click Edit Security.
 * 5) View the list of accounts, and then add the LOCAL SERVICE account to the list of accounts.
 * 6) Assign the &quot;Full control&quot; permission to the LOCAL SERVICE account.

