briancrago
asked on
The description for Event ID ( 10009 ) in Source ( DCOM ) could not be found. It contains the following insertion string(s): oldexchangeserver1.ourdomain.com.
In production we currently have 3 Windows Server 2008 R2 Standard 64-bit Domain Controllers in our environment. We have 2 DCs located locally and one at our DR site. The machines are named DC2K8-1, DC2K8-2 & DR-DC2K8-1. Everyday we receive multiple errors such as the following below on each server. Any ideas what could be causing this?
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10009
Date: 11/8/2010
Time: 12:45:37 PM
User: DC2K8-1.ourdomain.com
Description:
The description for Event ID ( 10009 ) in Source ( DCOM ) could not be found. It contains the following insertion string(s): oldexch.ourdomain.com.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 3c 52 65 63 6f 72 64 23 <Record#
0008: 31 3a 20 43 6f 6d 70 75 1:.Compu
0010: 74 65 72 3d 28 6e 75 6c ter=(nul
0018: 6c 29 3b 50 69 64 3d 37 l);Pid=7
0020: 39 36 3b 31 31 2f 38 2f 96;11/8/
0028: 32 30 31 30 20 31 37 3a 2010.17:
0030: 34 35 3a 33 37 3a 32 36 45:37:26
0038: 32 3b 53 74 61 74 75 73 2;Status
0040: 3d 31 37 32 32 3b 47 65 =1722;Ge
0048: 6e 63 6f 6d 70 3d 32 3b ncomp=2;
0050: 44 65 74 6c 6f 63 3d 31 Detloc=1
0058: 37 31 30 3b 46 6c 61 67 710;Flag
0060: 73 3d 30 3b 50 61 72 61 s=0;Para
0068: 6d 73 3d 31 3b 7b 50 61 ms=1;{Pa
0070: 72 61 6d 23 30 3a 30 7d ram#0:0}
0078: 3e 3c 52 65 63 6f 72 64 ><Record
0080: 23 32 3a 20 43 6f 6d 70 #2:.Comp
0088: 75 74 65 72 3d 28 6e 75 uter=(nu
0090: 6c 6c 29 3b 50 69 64 3d ll);Pid=
0098: 37 39 36 3b 31 31 2f 38 796;11/8
00a0: 2f 32 30 31 30 20 31 37 /2010.17
00a8: 3a 34 35 3a 33 37 3a 32 :45:37:2
00b0: 36 32 3b 53 74 61 74 75 62;Statu
00b8: 73 3d 31 37 32 32 3b 47 s=1722;G
00c0: 65 6e 63 6f 6d 70 3d 31 encomp=1
00c8: 38 3b 44 65 74 6c 6f 63 8;Detloc
00d0: 3d 31 34 34 32 3b 46 6c =1442;Fl
00d8: 61 67 73 3d 30 3b 50 61 ags=0;Pa
00e0: 72 61 6d 73 3d 31 3b 7b rams=1;{
00e8: 50 61 72 61 6d 23 30 3a Param#0:
00f0: 62 75 63 6b 65 78 63 68 oldexch
00f8: 61 6e 67 65 2e 62 75 63 .ourdom
0100: 6b 72 65 73 65 61 72 63 ain
0108: 68 2e 63 6f 6d 7d 3e 3c .com}><
0110: 52 65 63 6f 72 64 23 33 Record#3
0118: 3a 20 43 6f 6d 70 75 74 :.Comput
0120: 65 72 3d 28 6e 75 6c 6c er=(null
0128: 29 3b 50 69 64 3d 37 39 );Pid=79
0130: 36 3b 31 31 2f 38 2f 32 6;11/8/2
0138: 30 31 30 20 31 37 3a 34 010.17:4
0140: 35 3a 33 37 3a 32 36 32 5:37:262
0148: 3b 53 74 61 74 75 73 3d ;Status=
0150: 31 37 32 32 3b 47 65 6e 1722;Gen
0158: 63 6f 6d 70 3d 31 38 3b comp=18;
0160: 44 65 74 6c 6f 63 3d 33 Detloc=3
0168: 32 32 3b 46 6c 61 67 73 22;Flags
0170: 3d 30 3b 50 61 72 61 6d =0;Param
0178: 73 3d 30 3b 3e 3c 52 65 s=0;><Re
0180: 63 6f 72 64 23 34 3a 20 cord#4:.
0188: 43 6f 6d 70 75 74 65 72 Computer
0190: 3d 28 6e 75 6c 6c 29 3b =(null);
0198: 50 69 64 3d 37 39 36 3b Pid=796;
01a0: 31 31 2f 38 2f 32 30 31 11/8/201
01a8: 30 20 31 37 3a 34 35 3a 0.17:45:
01b0: 33 37 3a 32 36 32 3b 53 37:262;S
01b8: 74 61 74 75 73 3d 31 31 tatus=11
01c0: 30 30 31 3b 47 65 6e 63 001;Genc
01c8: 6f 6d 70 3d 31 38 3b 44 omp=18;D
01d0: 65 74 6c 6f 63 3d 33 32 etloc=32
01d8: 30 3b 46 6c 61 67 73 3d 0;Flags=
01e0: 30 3b 50 61 72 61 6d 73 0;Params
01e8: 3d 31 3b 7b 50 61 72 61 =1;{Para
01f0: 6d 23 30 3a 62 75 63 6b m#0:old
01f8: 65 78 63 68 61 6e 67 65 exch
0200: 2e 62 75 63 6b 72 65 73 .ourdom
0208: 65 61 72 63 68 2e 63 6f ain.co
0210: 6d 7d 3e m}>
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10009
Date: 11/8/2010
Time: 12:45:37 PM
User: DC2K8-1.ourdomain.com
Description:
The description for Event ID ( 10009 ) in Source ( DCOM ) could not be found. It contains the following insertion string(s): oldexch.ourdomain.com.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 3c 52 65 63 6f 72 64 23 <Record#
0008: 31 3a 20 43 6f 6d 70 75 1:.Compu
0010: 74 65 72 3d 28 6e 75 6c ter=(nul
0018: 6c 29 3b 50 69 64 3d 37 l);Pid=7
0020: 39 36 3b 31 31 2f 38 2f 96;11/8/
0028: 32 30 31 30 20 31 37 3a 2010.17:
0030: 34 35 3a 33 37 3a 32 36 45:37:26
0038: 32 3b 53 74 61 74 75 73 2;Status
0040: 3d 31 37 32 32 3b 47 65 =1722;Ge
0048: 6e 63 6f 6d 70 3d 32 3b ncomp=2;
0050: 44 65 74 6c 6f 63 3d 31 Detloc=1
0058: 37 31 30 3b 46 6c 61 67 710;Flag
0060: 73 3d 30 3b 50 61 72 61 s=0;Para
0068: 6d 73 3d 31 3b 7b 50 61 ms=1;{Pa
0070: 72 61 6d 23 30 3a 30 7d ram#0:0}
0078: 3e 3c 52 65 63 6f 72 64 ><Record
0080: 23 32 3a 20 43 6f 6d 70 #2:.Comp
0088: 75 74 65 72 3d 28 6e 75 uter=(nu
0090: 6c 6c 29 3b 50 69 64 3d ll);Pid=
0098: 37 39 36 3b 31 31 2f 38 796;11/8
00a0: 2f 32 30 31 30 20 31 37 /2010.17
00a8: 3a 34 35 3a 33 37 3a 32 :45:37:2
00b0: 36 32 3b 53 74 61 74 75 62;Statu
00b8: 73 3d 31 37 32 32 3b 47 s=1722;G
00c0: 65 6e 63 6f 6d 70 3d 31 encomp=1
00c8: 38 3b 44 65 74 6c 6f 63 8;Detloc
00d0: 3d 31 34 34 32 3b 46 6c =1442;Fl
00d8: 61 67 73 3d 30 3b 50 61 ags=0;Pa
00e0: 72 61 6d 73 3d 31 3b 7b rams=1;{
00e8: 50 61 72 61 6d 23 30 3a Param#0:
00f0: 62 75 63 6b 65 78 63 68 oldexch
00f8: 61 6e 67 65 2e 62 75 63 .ourdom
0100: 6b 72 65 73 65 61 72 63 ain
0108: 68 2e 63 6f 6d 7d 3e 3c .com}><
0110: 52 65 63 6f 72 64 23 33 Record#3
0118: 3a 20 43 6f 6d 70 75 74 :.Comput
0120: 65 72 3d 28 6e 75 6c 6c er=(null
0128: 29 3b 50 69 64 3d 37 39 );Pid=79
0130: 36 3b 31 31 2f 38 2f 32 6;11/8/2
0138: 30 31 30 20 31 37 3a 34 010.17:4
0140: 35 3a 33 37 3a 32 36 32 5:37:262
0148: 3b 53 74 61 74 75 73 3d ;Status=
0150: 31 37 32 32 3b 47 65 6e 1722;Gen
0158: 63 6f 6d 70 3d 31 38 3b comp=18;
0160: 44 65 74 6c 6f 63 3d 33 Detloc=3
0168: 32 32 3b 46 6c 61 67 73 22;Flags
0170: 3d 30 3b 50 61 72 61 6d =0;Param
0178: 73 3d 30 3b 3e 3c 52 65 s=0;><Re
0180: 63 6f 72 64 23 34 3a 20 cord#4:.
0188: 43 6f 6d 70 75 74 65 72 Computer
0190: 3d 28 6e 75 6c 6c 29 3b =(null);
0198: 50 69 64 3d 37 39 36 3b Pid=796;
01a0: 31 31 2f 38 2f 32 30 31 11/8/201
01a8: 30 20 31 37 3a 34 35 3a 0.17:45:
01b0: 33 37 3a 32 36 32 3b 53 37:262;S
01b8: 74 61 74 75 73 3d 31 31 tatus=11
01c0: 30 30 31 3b 47 65 6e 63 001;Genc
01c8: 6f 6d 70 3d 31 38 3b 44 omp=18;D
01d0: 65 74 6c 6f 63 3d 33 32 etloc=32
01d8: 30 3b 46 6c 61 67 73 3d 0;Flags=
01e0: 30 3b 50 61 72 61 6d 73 0;Params
01e8: 3d 31 3b 7b 50 61 72 61 =1;{Para
01f0: 6d 23 30 3a 62 75 63 6b m#0:old
01f8: 65 78 63 68 61 6e 67 65 exch
0200: 2e 62 75 63 6b 72 65 73 .ourdom
0208: 65 61 72 63 68 2e 63 6f ain.co
0210: 6d 7d 3e m}>
I saw this once on ProLiant servers that had Insight Manager Agents on. They were looking for a removed server. But, I guess any DCOM process that fails could do this so it will be difficult to diagnose from this. Did you remove buckexchange gracefully or did it fail?
ASKER
The Exchange server is a mail server was in production 2 mail server generations ago. To my knowledge it was removed gracefully. This is a HP Proliant DL360 G6.
I can't think why it should suddenly start, then. If it's similar to our incident, the errors happened twice an hour. To make things worse, I can't remember how we fixed it; I think we hada to remove references to the removed machine from the registry - in a key something to do with the Insight Agents
ASKER
It appears to happen every 8 hours. So frustrating!
Have you done a registry search for buckexchange or buckexchange.buckresearch. com?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I found and confirmed that there is a scheduled task w/ Name "SystemsTask" that when run produces the event log errors. I'm not sure how to proceed.
Oh good! I'm glad my theory was right. Now, we have to find out where buckexchange is being referenced from. I'll research where in AD this is. Meanwhile, can you tell me if you currently have the Certificate Services role installed anywhere else so that we don't delete the wrong thing?
ASKER
Losip -
I don't believe we have any Certificate Services installed anywhere. Any ideas as to what my next steps should be?
I don't believe we have any Certificate Services installed anywhere. Any ideas as to what my next steps should be?
Brian. I'm away for three days but will answer next week. Meanwhile, it is OK to disable that task if you wish.
Brian, my investigations aren't conclusive but I found that the CertificateServicesClient task does look for a Certificate Authority in Active Directory but if you've never had one, I can't explain what's going on. However, you might like to run up ADSIedit anyway and have a look at: Configuration / CN=Configuration,DC=buckre search,DC= com / CN=Services / CN=Public Key Services / CN=Certification Authorities and see if there is an entry for CN=buckexchange. As I say, the contents of Certification Authorities should be empty but you might just find that someone, at some time, installed a CA and then removed it leaving an obsolete entry. I know for sure that removing the CA role from a server does not clean up the AD after it.
If buckexchange is there it can be deleted because the server doesn't exist any longer. Similarly, you may find entries for it under the CN=AIA, CN=CDP, and CN=KRA objects.
If buckexchange is there it can be deleted because the server doesn't exist any longer. Similarly, you may find entries for it under the CN=AIA, CN=CDP, and CN=KRA objects.
ASKER
Problem still occurring. Will have to escalate the issue.
Did you try my suggestions above? If so, and the problem still occurs then just disable that task in Task Scheduler.