This is a continuation of a thread that was 'mistakenly' marked as answered - http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/353d381d-0911-41c3-98fb-2475b65c32f6 

Basically, we have 2008 R2 domain controllers that are trying to create a secure connection to servers listed in the 'forwarders' section of the DNS server properties. Of course, this connection attempt fails causing warning messages in event viewer.

Hopefully, this will get more attention from the gurus and MVP's than the last thread... 

Hi,

Could you please describe the issue in more details? What kind of secure connection it is trying to create? What warning messages you get in event viewer?

Best Regards

Scott Xie

<see below>
Note: The 208.67.220.220 address is OpenDNS which I use for my DNS forwarder.

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          7/14/2012 10:46:40 AM
Event ID:      10009
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DC.[domain].com
Description:
DCOM was unable to communicate with the computer 208.67.220.220 using any of the configured protocols.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
    <EventID Qualifiers="49152">10009</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-07-14T14:46:40.000000000Z" />
    <EventRecordID>24337</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>DC.[domain].com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">208.67.220.220</Data>
    <Binary>3C5265636F726423313A20436F6D70757465723D286E756C6C293B5069643D3639323B372F31342F323031322031343A34363A34303A3339383B5374617475733D313732323B47656E636F6D703D323B4465746C6F633D313731303B466C6167733D303B506172616D733D313B7B506172616D23303A307D3E3C5265636F726423323A20436F6D70757465723D286E756C6C293B5069643D3639323B372F31342F323031322031343A34363A34303A3339383B5374617475733D313732323B47656E636F6D703D31383B4465746C6F633D313434323B466C6167733D303B506172616D733D313B7B506172616D23303A3230382E36372E3232302E3232307D3E3C5265636F726423333A20436F6D70757465723D286E756C6C293B5069643D3639323B372F31342F323031322031343A34363A34303A3339383B5374617475733D313732323B47656E636F6D703D31383B4465746C6F633D3332333B466C6167733D303B506172616D733D303B3E3C5265636F726423343A20436F6D70757465723D286E756C6C293B5069643D3639323B372F31342F323031322031343A34363A34303A3339383B5374617475733D313233373B47656E636F6D703D31383B4465746C6F633D3331333B466C6167733D303B506172616D733D303B3E3C5265636F726423353A20436F6D70757465723D286E756C6C293B5069643D3639323B372F31342F323031322031343A34363A34303A3339383B5374617475733D31303036303B47656E636F6D703D31383B4465746C6F633D3331313B466C6167733D303B506172616D733D333B7B506172616D23303A3133357D7B506172616D23313A307D7B506172616D23323A3078646364633433643030303030303030307D3E3C5265636F726423363A20436F6D70757465723D286E756C6C293B5069643D3639323B372F31342F323031322031343A34363A34303A3339383B5374617475733D31303036303B47656E636F6D703D31383B4465746C6F633D3331383B466C6167733D303B506172616D733D303B3E</Binary>
  </EventData>
</Event>

Hi,

Error with Event ID 10009 is a known issue.

Please refer similar kind of thread http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/fff393bb-ff8b-4523-831d-c95bf8f1cb36/

Sorry, maybe I should have been more specific...

The question is not "Why am I getting EventID 10009?", or "How do I fix EventID 10009?".

The unanswered question posed by several people in the previous thread is WHY is my DNS server trying to create this connection with an EXTERNAL system listed in my DNS forwarder section?

• Edited by Alceryes Sunday, July 22, 2012 10:58 PM

Hi Alceryes,

To figure out why your DNS server always tries to create the connection to the server listed in DNS forwarder, I suggest that you can capture network trace on the DNS server when the event occurs. Then check what process is connecting the server 208.67.220.220 at that time point.

Best Regards

Scott Xie

Hi everyone,

I read this thread and the original one as I was having the same issue.

Although not a solution, I found a way to stop the endless stream of error messages. In my case the DCOM event was referring to a server that didn't exist anymore. I edited the hosts file (c:\windows\system32\drivers\etc\hosts) and pointed the server name to 127.0.0.1 (localhost). The result is a single warning message and then nothing anymore. I hope this is helpfull for some people.

The program svchost.exe, with the assigned process ID 728, could not authenticate locally by using the target name RPCSS/<servername>. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.

Try a different target name.

I have been having this issue with two of my domain controllers, trying to connect to machines that were only on the network temporarily, and especially trying to connect to non-windows devices (and hence non-domain clients) on the WiFi network.  I was getting two or three of these DCOM 10009 errors every few seconds and it was choking the hell out of my System log.

I also reviewed the previous totally-not-really-answered thread and the exchange about the Labtech management software is what clued me in to a solution.

For those who don't want to go back and review that thread (here) the short version is that the Labtec software was repeatedly running the command DCDIAG /TEST:DNS /DNSforwarders as part of it's regular health check, and that test was causing the RPC service to try to communicate with the server in question (an external DNS server, so, obviously, no RPC connection.)

This made me think about services on the DC that I've been having this issue on (two of them actually) and which of those services might be trying  to force a connection to every device on the LAN for some reason.  For example, I checked to see if there was a Spiceworks agent on the server that might be at fault.

It turned out to be a service associated with our newly deployed Palo Alto Networks firewall, and specificaly the User Agent service that was installed on the two DCs experiencing the problem.  In brief, it was running something called WMI-Probing for any device sending web traffic from a domain-authenticated host (including devices connected to WiFi using users' domain credentials.)

Palo Alto's description of the issue is here, but the lesson to be learned is that if you've got this DCOM error, it's because something on the computer (doesn't have to be the DC) is trying to initiate a connection to the target IP.  If you look through your services list, you're probably going to find it.  I found it by running Process Monitor on one of the DCs and looking for activity immediately preceding the attempted network RPC EPMAP actions and for every single one I saw an action by the Palo Alto User Agent service. Five seconds on Google with "Palo Alto Dcom 10009" put up the answer.  If you've got this error, betcha you've got some service running that's trying to make that RPC connection at whatever frequency the error is popping up.

Good luck! 

Good find, Eric. However, I was not running any extra services/programs on my 2k8R2 DC (where I was getting the error).

I recently decom'd my old 2k8R2 DC and now have a 2012R2 DC it it's place. I haven't seen that 10009 error since.

• Marked as answer by Alceryes Friday, October 31, 2014 2:02 PM

I'd also like to know why DCOM tries to connect to DNS servers listed in forwarders. I haven't been able to work that out, however I was able to stop the errors appearing in the event log.

Only a few servers were experiencing the issue, and the one difference I found was in the network adapter settings. The servers that continuously logged the events had incorrectly configured advanced settings.

In my case, the settings were:

• IPv4 Checksum Offload: Disabled
• Large Send Offload Version 2 (IPv4): Disabled
• Large Send Offload Version 2 (IPv6): Disabled
• TCP Checksum Offload (IPv4): Disabled
• TCP Checksum Offload (IPv6): Disabled
• UDP Checksum Offload (IPv4): Disabled
• UDP Checksum Offload (IPv6): Disabled

The settings should have been:

• IPv4 Checksum Offload: Rx & Tx Enabled
  
• Large Send Offload Version 2 (IPv4): Enabled
  
• Large Send Offload Version 2 (IPv6): Enabled
  
• TCP Checksum Offload (IPv4): Rx & Tx Enabled
• TCP Checksum Offload (IPv6): Rx & Tx Enabled
• UDP Checksum Offload (IPv4): Rx Enabled
• UDP Checksum Offload (IPv6): Rx Enabled

Once those settings were fixed, the DCOM errors disappeared.

• Edited by SSonik 21 minutes ago