none
w32tm Access is denied. (0x80070005) from elevated prompt

    Question

  • I'm trying to set the NTP peers on a brand new 2008R2 domain, and everything I do give me the Access is Denied (0x80070005) error. I can query the source (Local CMOS Clock), and I can run the monitor command, but everything else I try gives me Access Denied. Commands I've tried:

     

     

    w32tm /register 
    w32tm /config /manualpeerlist:"time.windows.com" /syncfromflags:MANUAL /reliable:yes 
    w32tm /update


     I'm logging on as the Administrator account and using an elevated command prompt. I've even turned UAC all the way down and confirmed that the Domain Policy doesn't have any configuration set.

    This is a .local domain, so I'm actually trying to use another internal trusted domain as the peer.



    • Edited by aobrien5 Thursday, July 14, 2011 4:59 PM more domain info
    Thursday, July 14, 2011 4:43 PM

Answers

  • If possible reboot the DC & run below cmd. If you get access denied for the first attempt to unregister rerun the same cmd. Can you make sure windows 2008 R2 is running with latest service pack & patches. If nothing works, running SFC /SCANNOW will be more viable option.

    Can you try with some other domain admin account,newly created not the existing one, trying to sort out if there is corruption with ID.

    net stop w32time
    w32tm /unregister
    w32tm /register
    net start w32time

    How to configure authoritative tine server

    http://support.microsoft.com/kb/816042 

     

    Regards


    Awinish Vishwakarma

    MVP-Directory Services

    MY BLOG:  http://awinish.wordpress.com

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by aobrien5 Friday, July 15, 2011 2:00 PM
    Friday, July 15, 2011 4:51 AM

All replies

  • Hello,

    how many DCs in total do you have? Are they physical machines or do you use VMs(which hypervisor OS)

    Never had seen this on healthy domains, if UAC is disabled and the Domain Administrator account is used with RUNAS.

    Please upload the following files:

    ipconfig /all >c:\ipconfig.txt [from each DC/DNS Server]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)


    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, July 14, 2011 6:29 PM
  • This is a brand new domain created yesterday.  There are only 2 machines on the domain - 1 DC in each of 2 sites.  They are virtual, running on VMWare ESX.  I ran all of the commands you mentioned on both DCs, just to be thorough, and they are zipped at the link below.  Again, these files aren't terribly large because the domain is so small.

    https://skydrive.live.com/redir.aspx?cid=423f2a8951d0de99&resid=423F2A8951D0DE99!111

    Thanks for looking into it.

    PS - for what it's worth, if I run the same commands on the other DC, they complete without error, but that DC is NOT the FSMO.
    Thursday, July 14, 2011 7:09 PM
  • Hello,

    how are the sites connected?

    Dcdiag show some connection problems, is any firewall between them and is the firewall configured according to: http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx

    Please remove the domain DNS servers as Forwarder, use instead the root hints or the ISPs one.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, July 14, 2011 7:23 PM
  • Howdie!
     
    Am 14.07.2011 21:09, schrieb aobrien5:
    > This is a brand new domain created yesterday. There are only 2 machines
    > on the domain - 1 DC in each of 2 sites. They are virtual, running on
    > VMWare ESX. I ran all of the commands you mentioned on both DCs, just to
    > be thorough, and they are zipped at the link below. Again, these files
    > aren't terribly large because the domain is so small.
     
    What account are you trying this with? Built-in Administrator? Some
    Domain Administrator?
     
    Florian
     
     

    The views and opinions expressed in my postings do NOT correlate with the ones of my friends, family or my employer.
    Thursday, July 14, 2011 7:47 PM
  • Hello,

    why is your IP settings like that?

     

    Windows IP Configuration

     

       Host Name . . . . . . . . . . . . : CHECK

       Primary Dns Suffix  . . . . . . . : domain.local

       Node Type . . . . . . . . . . . . : Hybrid

       IP Routing Enabled. . . . . . . . : No

       WINS Proxy Enabled. . . . . . . . : No

       DNS Suffix Search List. . . . . . : domain.local

     

    Ethernet adapter Local Area Connection:

     

       Connection-specific DNS Suffix  . : 

       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

       Physical Address. . . . . . . . . : 00-50-56-8A-01-2C

       DHCP Enabled. . . . . . . . . . . : No

       Autoconfiguration Enabled . . . . : Yes

       IPv4 Address. . . . . . . . . . . : 192.168.1.25(Preferred) 

       Subnet Mask . . . . . . . . . . . : 255.255.255.0

       Default Gateway . . . . . . . . . : 192.168.1.20

       DNS Servers . . . . . . . . . . . : 10.1.0.30

                                           127.0.0.1

       NetBIOS over Tcpip. . . . . . . . : Enabled

     

    Is Check a DNS server?

    If not, install DNS on it and make sure that it is a GC.

    Also, use the following DNS servers in its IP configuration.

    10.1.0.30

    192.168.1.25

    127.0.0.1

     

    For Check, use these DNS servers (follow the order) in your IP settings:

    192.168.1.25

    10.1.0.30

    127.0.0.1

    Once done, run ipconfig /registerdns and restart netlogon on each DC.
    Also check ports like Meinolf suggested. Use PortQry v2 for the check.

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Thursday, July 14, 2011 7:51 PM
  • @Meinolf Weber -

    Sites are connected via Site-to-Site VPN.  These same sites are being used in the trusted domain without issue.

    CHECK had Windows Firewall on still, and that is now off.

    Domain DNS forwarder was by mistake and is removed.

     

    @Florian -

    Trying both Builtin Domain Administrator and created user/Domain Admin account - same results.

     

    @Mr X -

    Is the DNS order the only thing you're questioning about the IP Addressing?  CHECK had them in the wrong order when I was configuring it and I forgot to switch them.  That's done now as well.

     

    @All - Same results after these minor changes.  Most of these changes were on CHECK, but GUESS is the FSMO where I'm trying to run the commands.

     

    Thanks again


    Thursday, July 14, 2011 8:23 PM
  • If possible reboot the DC & run below cmd. If you get access denied for the first attempt to unregister rerun the same cmd. Can you make sure windows 2008 R2 is running with latest service pack & patches. If nothing works, running SFC /SCANNOW will be more viable option.

    Can you try with some other domain admin account,newly created not the existing one, trying to sort out if there is corruption with ID.

    net stop w32time
    w32tm /unregister
    w32tm /register
    net start w32time

    How to configure authoritative tine server

    http://support.microsoft.com/kb/816042 

     

    Regards


    Awinish Vishwakarma

    MVP-Directory Services

    MY BLOG:  http://awinish.wordpress.com

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by aobrien5 Friday, July 15, 2011 2:00 PM
    Friday, July 15, 2011 4:51 AM
  • @Awinish

    Wow.  That did it!  Can't believe running the same command a second time like that could yield such a different result and fix the problem.

    Unbelievable.  Thank you so much.

     

    C:\Users\adam>net stop w32time
    The Windows Time service is stopping.
    The Windows Time service was stopped successfully.
    
    C:\Users\adam>w32tm /unregister
    The following error occurred: Access is denied. (0x80070005)
    
    C:\Users\adam>w32tm /unregister
    W32Time successfully unregistered.
    
    C:\Users\adam>w32tm /register
    W32Time successfully registered.
    
    C:\Users\adam>net start w32time
    The Windows Time service is starting.
    The Windows Time service was started successfully.
    
    C:\Users\adam>w32tm /config /manualpeerlist:"ntp1.savvis.net ntp2.usno.navy.mil
    us.pool.ntp.org" /syncfromflags:MANUAL /reliable:yes
    The command completed successfully.

     



    • Proposed as answer by BigChaps Sunday, April 07, 2013 1:54 AM
    Friday, July 15, 2011 1:59 PM
  • I can imagine your happiness with Wow..:-)..Good to know, solution provided worked for you & Thank you for the update.

     

    Regards


    Awinish Vishwakarma 

    MVP-Directory Services

    MY BLOG:  awinish.wordpress.com

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, July 15, 2011 2:10 PM
  • This also worked with one of my Windows 7 Machines. IT is a Windows Media Center running at home so no Domains or anything. Thnakfully, my Recordings will now all start on time again. High WAF Score deserves to be rewarded..
    Sunday, April 07, 2013 1:56 AM