Solved

Server 2003 Enterprise.  Event log DCOM 10003 error

Posted on 2004-09-02
16
644 Views
Last Modified: 2008-01-09
My server is logging a TON of these errors.  1 every couple of minutes.  MS provides no insite.  I typically look at http://www.eventid.net for help, but I found nothing.



Event Type:      Error
Event Source:      DCOM
Event Category:      None
Event ID:      10003
Date:            9/2/2004
Time:            7:22:06 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      ZEUS
Description:
Access denied attempting to launch a DCOM Server using DefaultLaunchPermssion. The server is:
{00020906-0000-0000-C000-000000000046}
The user is ANONYMOUS LOGON/NT AUTHORITY, SID=S-1-5-7.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Comment
Question by:dkuhlman
  • 10
  • 6
16 Comments
 

Author Comment

by:dkuhlman
Comment Utility
0
 
LVL 3

Expert Comment

by:Julian_C
Comment Utility
Yes, but the error has a different CLSID to the MDM so which DCOM server is trying to start?

It seems that the key in question is linked to Word.Document.8  Does that ring any bells. Any apps running that use word? If you look this up on my machine under HKEY_CLASSES_ROOT\CLSID\00020906-0000-0000-C000-000000000046 then the LocalServer32 is winword.exe. Strange but the inprocserver32 is a script handler in my virus scanner which suggests that this is how it scans the docs for viruses. The AV doesn't sound like your issue though. More like something wants to create word objects and can't. Try running regmon from http://www.sysinternals.com to see which process is trying to spawn this.

Cheers
Julian
0
 
LVL 3

Expert Comment

by:Julian_C
Comment Utility
What OS are you running? If it's XP you can go to Component Services, Computers, My Computer, DCOM Config, Microsoft Document and right click to select properties. In security you can see the Launch Permissions are set to default. You really shouln't have to change this. Have you installed XP sp2 or something else? If the identity tab is set to Launching User then the permissions are taken from the process that is trying to launch the DCOM server so you really need to identify the calling app and the user context that it is running in. I'm guessing that it is not runnig as a service or in the context of the logged on user. The anonymous logon can come from many things but for it to try and fire word off could be something like a web application that dynamically generates word docs for download etc. Without more info it's hard for me to go further at this time.

Cheers
Julian
0
 
LVL 3

Expert Comment

by:Julian_C
Comment Utility
Have you identified the process that's using word yet?

Cheers
Julian
0
 

Author Comment

by:dkuhlman
Comment Utility
The OS is Server 2003.  No SP2.  I downloaded and ran regmon, but I'm not really sure what to look for.  I don't see anything trying to start winword.exe.  My AV software is CA Etrust 7.1.
0
 

Author Comment

by:dkuhlman
Comment Utility
This server also runs Exchange 2003 if that helps.
0
 
LVL 3

Expert Comment

by:Julian_C
Comment Utility
OK, so run Regmon, Wait until you know an error has been logged (1 every couple of mins so not long to wait I guess). Then pause it by pressing the pause button and use the search facility to look for 00020906-0000-0000-C000-000000000046. The process will be looking for this regkey to see what it has to call.

Cheers
Julian
0
 

Author Comment

by:dkuhlman
Comment Utility
I just tried to run regmon and it caused my server to reboot......  While I wait for it to come back up, please note the following.  My server has 2 network cards.  I have assigned about 10 static internet ip addresses to 1 of them.  The other one has 1 static NAT'ed 192.168.x.x address.  This server has all of my critical data on it, and runs Exchange 2003.  Whats the point of having a firewall if I have to open up the other interface to host websites?  Is there a way I can assign the 10 static internet ip addresses to interface 1 while behind a firewall?  My current firewall is a Watchguard SOHO 6.  Also note, if I disable the network card that has the 10 static internet IP addresses, this error does not occur.

Now then.... Server is back up.  I did a search for the string indicated above in regmon.  SVCHOST.exe:812 appears to be our culprit.   In the path column I see such things as HKCR\CLSID\{00020906-0000-0000-C000-000000000046} InprocServer32; LocalServer32; or TreatAs; etc.  I hope this means something to you all.....
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Expert Comment

by:Julian_C
Comment Utility
Right then, before I start thinking about the stuff you just said about the network card with 10 internet addressable IP's I need some more info from the regmon output. It is a great shame that the server rebooted because now process 812 (which was a service) is no longer running so we can't look inside. On www.sysinternals.com is another utility called process explorer. If you look at a standard taskmon list you'll see lots of svchost processes but you can't tell which service is inside which service host BUT process explorer can. It's like a super task monitor. It shows all the process and if it's a service host process then it shows the internal process that it is hosting. For future refernece it also lists all the open handles for a process and this is very useful sometimes to see what files a process has opan.

So, what you need to do now is:, you need to run regmon again (as we need to now which svchost it is and it will now have a new number)BUT this time, when you start it off pause it straight away, then find the filter button and change the include filter from * to SVCHOST* and then unpause it. This will give much less in the output and should stop the server crashing as it will only capture output from svchost processes. Once you get an error pause it again and find the svchost process number that caused the issue. When you have that, look it up with process explorer and see what the underlying service is. Then let us know and we'll go from there.

In the meantime I'll try and understand these new facts you gave us about 10 static internet IPs etc etc.

I'll be back...

Julian
0
 
LVL 3

Expert Comment

by:Julian_C
Comment Utility
OK, the answer is to have your FW NAT the incoming traffic for you instead of the way you have it set up. This is standard practice. It is very unusual to have non-nat'd address on the inside of the firewall and I don't like it. You need to find out how to set up your FW for NAT and use a different range for this zone inside. You could use the private 10.x.x.x range and set the internal IP of the FW as 10.0.0.1 and the 10 static web sites etc running perhaps on 10.0.0.100 - 10.0.0.1009 perhaps. Using a different netwrok to the 192.168 on the other card means that if there is ever a mistake and, heaven forbid, you have a physical connection that misses out the server then the FW will not be on a network that can address your internal LAN on the other side of the server but its's just a precaution. Anyway, like I said, you really need to NAT on the FW and have private addresses for your sites etc. On the FW you'll have 10 static NAT rules that say traffic for external address xxx.xxx.xxx.xxx is NAT's to internal address 10.0.0.100 etc etc. As an example, you'll also have to change your filter rules to allow traffic on port 80 to server 10.0.0.100 etc etc. I have never used a Watchguard so I can't give real details for this. Do you know enough about the FW to make these changes? I've never used a FW that doesn't have NAT so it will be possible. Nice GUI to use?

Cheers
Julian
0
 
LVL 3

Expert Comment

by:Julian_C
Comment Utility
Obviously I meant 109 and not 1009 :-)
0
 
LVL 3

Expert Comment

by:Julian_C
Comment Utility
Any joy with this?
0
 

Author Comment

by:dkuhlman
Comment Utility
I can only assign 1 static IP address to the external interface on my firewall.  Any suggestions for a new one?  I really like the watchguard interface.  I hold a valid Cisco certification, but I don't feel comfortable setting up a Cisco PIX firewall.  I'm still working on getting the info you need off the server.  
0
 
LVL 3

Expert Comment

by:Julian_C
Comment Utility
What sort of device is it that you want to replace? If it's a dsl modem/router then try.

http://www.draytek.co.uk/products/vigor2600plus.html

which is very good but I think you can only add 8 external IP's to the Vigor but I'm not sure. Last time I used one I thought I could just add an entire subnet, and in my case that was 16 addresses (inc network and broadcast). I'll do some more digging around. I've left a voicemail with a friend who has the Vigor right now so I should know by tomorrow.

but if it's just an ethernet FW/router then the d-link-604 supports mult-nat but again, I'm not sure how many exteranl IP's it supports.

The low end PIX's come with PDM support and that really makes setting them up much easier than the old command line if you aren't used to it. The 501 is pretty cheap but watch out for the 1o user limit on the cheapest version of it. Have you thought about the CheckPoint Safe@Office. I really don't know what multi-nat support this has but it's a checkpoint so the FW would be good.

Cheers
Julian


http://www.multitech.com/PRODUCTS/Families/SOHO_VPN/


Actually, I've just reread your networking requirement and see that you need to

0
 

Author Comment

by:dkuhlman
Comment Utility
If I enable the windows firewall on the interface that is exposed to the internet, these errors stop.  So I have decided not to persue the reason they are coming up.  I feel like the server should not be exposed directly to the internet like it is.  I can't tell if you can assign multiple external IP's to either of the routers you mentioned above.  I'd like something that also filters outgoing traffic, filtering incoming traffic only is not secure enough.  Do you have any other suggestions?  Was your last question fully entered?
0
 
LVL 3

Accepted Solution

by:
Julian_C earned 500 total points
Comment Utility
Sorry, excuse my other post, I've only just seen this.

Yes you are right that your server really shouldn't be exposed in this way. The draytek filter oputbound too as you want BUT I really think you are going to have to bite the bullet and use a PIX or A N Other mainstream FW. The PDM interface really makes setting up the stuff dead easy. I do security consultancy for the UK government and we just failed an audit because we had PDM turned on. Apparently there are weaknesses with it but I think you could set it up using PDM and then just disable it afterwards. The command line isn't that bad and there seems to be lots of help available on EE too.

Cheers
Julian
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

As the title indicates, I have done this before. It chills me everytime I update the OS on my phone, (http://www.experts-exchange.com/articles/18084/Upgrading-to-Android-5-0-Lollipop.html) because one time I did this and I essentially had a bricked …
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now