Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1454
  • Last Modified:

Trace DCOM

Event Viewer Error on DC Windows 2008 R2:

I am receiving the following error after the deletion of a Enterprise Sub CA. I went back through ADUC and cleaned it out follow the window's document but the error still appears 30+ times a day on my  main Domain controller.

"DCOM was unable to communicate with the computer SUBCA.xxxxxxxxxxx.xxxxxx.org using any of the configured protocols."
Event ID: 10009

I want to figure out a way to see why the DCOM is attempting to contact the computer. I am thinking either there are computers on the network with certs that are still looking to confirm validity and contact the DC to contact the SubCA. Is there a way to track request? Any ideas of what could be causing the error to be thrown?

Thanks for any help!

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
  <EventID Qualifiers="49152">10009</EventID>
  <TimeCreated SystemTime="2012-08-14T13:25:36.000000000Z" />
  <Correlation />
  <Execution ProcessID="0" ThreadID="0" />
  <Security />
- <EventData>
  <Data Name="param1">SUBCA.xxxxxxxxxx.xxxxxx.org</Data>
  • 4
  • 3
1 Solution
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
TimMurpAuthor Commented:
Hi Rancy,

Thanks for taking a look. However, still not seeing a solution



http://technet.microsoft.com/en-us/library/ms839040.aspx ---

They tell me to go under regedit--> RPC and then DCOM, there isn't a sub folder with that name there. I have clientProtocols, extensions, and security service. It also doesn't say what to do if I found it there. ( I am assuming I am finding this on my DC)

I go through the steps of the first link but my DC computer is already set to TCP/IP. I am assuming then it is good to go.

http://support.microsoft.com/kb/245197 --this has to do with 2000 and xp. Also is changing the protocols which it was already established correctly.

I looked through the search you sent but most of them were the same as the case above and weren't fruitful. I am looking around component services for some type of solution. Is there a way to view where the DCOM request come from? The only solution I can find right now, isn't a solution which is to put on DNS forwarders. I feel like this is a bad a ignoring the problem.

I am beginning to wonder if the certs it originally issued are trying to verify still. I might run a startup script to remove all personal certifications if I can't find a solution to the DCOM.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

TimMurpAuthor Commented:
I figured out how to do DNS logging:


This is the cause of the error:

8/15/2012 12:58:23 PM 09F8 PACKET  00000000025B9210 UDP Rcv ::1             6836   Q [0001   D   NOERROR] A      (5)SUBCA(12)Headquarters(4)xxx(3)org(0)
UDP question info at 00000000025B9210
  Socket = 336
  Remote addr ::1, port 58633
  Time Query=9828926, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x002d (45)
    XID       0x6836
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    Offset = 0x000c, RR count = 0
    Name      "(5)SUBCA(12)Headquarters(4)xxxxx(3)org(0)"
      QTYPE   A (1)
      QCLASS  1

When this request happened for DNS the error appear in event viewer. I know ::1 is the loop back adapter for IPv6. However, I am unsure of what would cause this to be called. Any ideas?
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Ideally the Ipv4 is used not sure about ipv6.

- Rancy
TimMurpAuthor Commented:
Rebuilt my DC and the error no longer appears.
TimMurpAuthor Commented:
Not sure if this is the only way but I had to do it for another reason. It most likely is a benign issue to begin with.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now