Event ID: 10016, DCOM Error which affects SCCM Clients communication with the Server.
Hi,
I came across to one issue regarding my Server Windows 2003 with Service Pack 2 hosting our SCCM Server 2007 R3 Primary site
Server, in the Same Server Database is also in it, IIS and MS Forefront Endpoint Protection 2010 Server.
The issue is in the Event Viewer, Systems I keep on seeing Event ID: 10016,
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: 1/16/2012
Time: 3:16:55 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: CONTOSO
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{2B8EEDF8-21D2-51CD-8926-C31D2ED3E278}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
============================
I tried to follow the suggested solution from Microsoft:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=10016&EvtSrc=DCOM&LCID=1033
But unfortunately I was stuck on the 6th procedure which requires locating friendly name in the DCOM.
............
Explanation
A program, the Clsid displayed in the message, tried to start the DCOM server by using the DCOM infrastructure. Based on the security
ID (SID), this user does not have the necessary permissions to start the DCOM server.
User Action
Verify that the user has the appropriate permissions to start the DCOM server.
To assign permissions
1.
Using Regedit, navigate to the following registry value
HKCR\Clsid\clsid value\localserver32
The clsid value is the information displayed in the message. In my case I have HKCR\Clsid\{2B8EEDF8-21D2-51CD-8926-C31D2ED3E278}\localserver32
(Done)
2.
In the right pane, double-click Default. The Edit String dialog box is displayed. Leave this dialog box open.
(Done)
3.
Click
Start, and then click Control Panel. (Done)
4.
Double-click
Administrative Tools, and then double-click Component Services.
(Done)
5.
In the Component Services snap-in, expand
Computers, expand My Computer, and double-click
DCOM Config. (Done)
6.
In the right pane, locate the program by using its friendly name.(In
this procedure I am stuck, the issue is I cannot find the Friendly Name for the Application)
7.
Right-click the program name, and then select
Properties.
8.
On the
Security tab, in the Launch and Activation Permissions group box, select
Customize, and then click Edit.
Add the user to the permissions list, and give the user the appropriate permissions.
If anyone can assist me on this issue it is highly appreciated.
Regards,
January 16th, 2012 7:59am
did you perform the steps given above ? do you have any issues with SCCM functionality with this error ?
this is more of windows server related issue
http://social.technet.microsoft.com/Forums/en/category/windowsserver/ ,you can make use of it
have you performed the steps given here on
http://support.microsoft.com/kb/899965
Please click on "vote as Helpful" if you feel this post helpful to you.
Eswar Koneti | My Tech blog:
eskonr.com | Linkedin: Eswar Koneti
Free Windows Admin Tool Kit Click here and download it now
January 16th, 2012 8:26am
did you perform the steps given above ? do you have any issues with SCCM functionality with this error ?
this is more of windows server related issue
http://social.technet.microsoft.com/Forums/en/category/windowsserver/ ,you can make use of it
have you performed the steps given here on
http://support.microsoft.com/kb/899965
Please click on "vote as Helpful" if you feel this post helpful to you.
Eswar Koneti | My Tech blog:
eskonr.com | Linkedin:
Eswar Koneti
Eswar,
Thank you for your reply please see below reply on my side:
For SCCM Functionality, I need to check one by one but so far no reports from other System Adminstartors regarding deployment, I will check reports, Patch management section which will take time.
Second I believed the link you have provided is for Windows XP Professional x64 Edition, however I also checked the procedure and settings compare to what I have.
..... as suggested on the Link from Microsoft the one you have provided:
Grant the user permissions to start the COM component
<script type="text/javascript">// <![CDATA[ loadTOCNode(2, 'resolution'); // ]]></script> Grant the user permissions to start the COM component. To do this, follow these steps:
Click Start, click Run, type regedit in the
Open box, and then click OK.(Done)
Locate and then click the following registry subkey:
HKEY_CLASSES_ROOT\CLSID\CLSID value
Note In this subkey, "CLSID value" is a placeholder for the CLSID information that appears in the message.(Done)
In the right pane, double-click AppID.(Done)
The Edit String dialog box appears. Leave this dialog box open and continue to the next step.
Click Start, click Run, type dcomcnfg in the
Open box, and then click OK.
If a Windows Security Alert message prompts you to keep blocking the Microsoft Management Console program, click to unblock the program.(Checked but Not required in my situation)
In Component Services, double-click Component Services, double-click
Computers, double-click My Computer, and then click
DCOM Config.(Done)
In the details pane, locate the program by using the friendly name.
If the AppGUID identifier is listed instead of the friendly name, locate the program by using this identifier.(Once Again in this procedure I am stuck, the issue is I cannot
find the Friendly Name for the Application even using the details in AppGUID)
Right-click the program, and then click Properties. Click the Security tab. In the Launch and Activation Permissions area, click
Customize, and then click Edit. Click Add, type the user's account name, and then click
OK. While the user is selected, click to select the Allow check boxes for the following items:
Local Launch Remote Launch Local Activation Remote Activation
Click OK two times. Quit Registry Editor.
Back to the top
Grant the correct permissions to the Network Service account
<script type="text/javascript">// <![CDATA[ loadTOCNode(2, 'resolution'); // ]]></script> To grant the correct permissions to the Network Service account, follow these steps:
Click Start, click Run, type dcomcnfg in the
Open box, and then click OK.(Done)
In Component Services, double-click Component Services, and then double-click
Computers.(Done)
Right-click My Computer, and then click Properties.
(Done)
Click the COM Security tab.(Done)
In the Launch and Activation Permissions area, click
Edit Default.(Done)
Click Add, type Network Service, and then click
OK.(Done)
While Network Service is selected, click to select the
Allow check boxes for the following items:(Checked but Not required in my situation, my
Event Log says the permission should be set for Local Service however I also checled and the Allo box for the below settings are with checked already)
Local Launch Remote Launch Local Activation Remote Activation
Click OK two times.
Any other suggestions?
January 16th, 2012 9:01am
If the AppGUID identifier is listed instead of the friendly name, locate the program by using this identifier.(Once Again in this procedure I am stuck, the issue is I
cannot find the Friendly Name for the Application even using the details in AppGUID)
This is SMS Agent HostAndre van den Berg
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2012 8:45am