DCOM errors on site server when connecting to site systems in remote untrusted domains
When the site component manager and sms executive is trying to access site systems in remote domains in untrusted forest i got a lot of events in the system log with event id 10028:
"DCOM was unable to communicate with the computer <computername> using any of the configured protocols; requested by PID 32a4 (D:\Program Files\Microsoft Configuration Manager\bin\x64\sitecomp.exe)."
"DCOM was unable to communicate with the computer <computername> using any of the configured protocols; requested by PID 2990 (D:\Program Files\Microsoft Configuration Manager\bin\x64\smsexec.exe)."
I have checked the sitecomp.log and smsexec.log for errors, but I cant find anything wrong and everything seems to be working fine. I am using Site system installation account to connect to the site systems. Is this normal behavior?
October 29th, 2013 4:28pm
Have you check the firewall? This problem may be the result of a firewall blocking the connection. For security, COM+ network access is not enabled by default. Check
the system to determine whether the firewall is blocking the remote connection.
October 31st, 2013 4:16am
Yes, there is no firewall between the site server and the site systems and no local firewalls on the servers. Could it be that DCOM is trying to use kerberos authentication connecting to the site system in the remote untrusted domain and then falls back
October 31st, 2013 5:10pm
I have the exact same issue when I have MP in untrusted domain.
From the MP in untrusted domain, I also found this:
It seems the primary site server is trying to communicate with the MP in untrusted domain by using its computer account, which cannot be recognized by the MP. Thus, the authentication failed.
Is this normal or not? What is the primary site server trying to do with the MP in untrusted domain?
January 10th, 2014 6:34pm
There is continuous communication between the MP and the primary site server. You need to configure a site system account for that site system so that this communication can take place.
January 10th, 2014 7:19pm
Thanks so much for getting back. But how to configure that account? I don't see any option in SCCM to configure the account that can be used by ccmexec.exe and sitecomp.exe when communicating with the server in untrusted forest.
Besides, all SCCM components are working properly, and there is no error messages in SCCM logs.
Could you please provide more information about configuring the account?
Thanks a lot!
January 10th, 2014 7:22pm
You have to do this on the Site System role of the server in the console in the Admin workspace under Site Config -> Server and Site System Roles.
January 10th, 2014 7:30pm
Do you mean this one?
I've configured that already for the MP site systems, and all components worked fine but the DCOM errors.
Anything else that I can try?
January 10th, 2014 7:38pm
I still have the same issue. I opened a Premier support case, but so far no resolution. I have also configured the site system installation account, but the primary site server still seems to use the computer account first, and then the site system account.
Microsoft has not confirmed this to be true.
January 13th, 2014 2:51am
Thank you so much!
I opened a case with Microsoft support last Friday with Software Assurance support, but I guess this is a bug. :)
Do you have any problems on your site components and servers in the untrusted forest? Could you please post back here for the result of the Premier support?
January 13th, 2014 9:04am
No problems on the site systems in the untrusted forest, no errors in ConfigMgr logs or in event Viewer. I run MP and DP on the site systems in the untrusted Forests.
I will post back here when I get a result from Microsoft. Please post if you get an answer from Software Assurance support.
Maybe I can send you the Contact details for my support engineer at Microsoft and you can forward it to yours so they can work together on the case?
January 13th, 2014 9:19am
Same result here. We don't have any problems on all systems, but the annoying DCOM errors.
I will update here with the SA support. If you have your Case ID, it will be great that I can have it. I will let the SA support to reproduce this issue first.
January 13th, 2014 9:48am
I had to check the security event logs again on the site system, and I was wrong in my last reply. I have the same event on the site system in the untrusted forest as you have, the site server is trying to use the computer account and fails. The event is
generated at the same time the DCOM event is generated on the site server. Got to be a bug that it is not trying the site system installation account first.
January 13th, 2014 9:50am
My incident number on premier support is 113110610923387.
January 14th, 2014 3:06am