Link to home
Start Free TrialLog in
Avatar of TimMurp
TimMurp

asked on

Trace DCOM

Event Viewer Error on DC Windows 2008 R2:

I am receiving the following error after the deletion of a Enterprise Sub CA. I went back through ADUC and cleaned it out follow the window's document but the error still appears 30+ times a day on my  main Domain controller.

"DCOM was unable to communicate with the computer SUBCA.xxxxxxxxxxx.xxxxxx.org using any of the configured protocols."
Event ID: 10009

I want to figure out a way to see why the DCOM is attempting to contact the computer. I am thinking either there are computers on the network with certs that are still looking to confirm validity and contact the DC to contact the SubCA. Is there a way to track request? Any ideas of what could be causing the error to be thrown?


Thanks for any help!


- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
  <EventID Qualifiers="49152">10009</EventID>
  <Version>0</Version>
  <Level>2</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2012-08-14T13:25:36.000000000Z" />
  <EventRecordID>16371</EventRecordID>
  <Correlation />
  <Execution ProcessID="0" ThreadID="0" />
  <Channel>System</Channel>
  <Computer>DC.xxxxxxxxx.xxxxxx.org</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="param1">SUBCA.xxxxxxxxxx.xxxxxx.org</Data>
  <Binary>3C5265636F726423313A20436F6D70757465723D286E756C6C293B5069643D3730303B382F31342F323031322031333A32353A33363A3233323B5374617475733D313732323B47656E636F6D703D323B4465746C6F633D313731303B466C6167733D303B506172616D733D313B7B506172616D23303A307D3E3C5265636F726423323A20436F6D70757465723D286E756C6C293B5069643D3730303B382F31342F323031322031333A32353A33363A3233323B5374617475733D313732323B47656E636F6D703D31383B4465746C6F633D313434323B466C6167733D303B506172616D733D313B7B506172616D23303A53554243412E4865616471756172746572732E636665642E6F72677D3E3C5265636F726423333A20436F6D70757465723D286E756C6C293B5069643D3730303B382F31342F323031322031333A32353A33363A3233323B5374617475733D313732323B47656E636F6D703D31383B4465746C6F633D3332323B466C6167733D303B506172616D733D303B3E3C5265636F726423343A20436F6D70757465723D286E756C6C293B5069643D3730303B382F31342F323031322031333A32353A33363A3233323B5374617475733D31313030313B47656E636F6D703D31383B4465746C6F633D3332303B466C6167733D303B506172616D733D313B7B506172616D23303A53554243412E4865616471756172746572732E636665642E6F72677D3E</Binary>
  </EventData>
  </Event>
Avatar of Manpreet SIngh Khatra
Manpreet SIngh Khatra
Flag of India image

Avatar of TimMurp
TimMurp

ASKER

Hi Rancy,

Thanks for taking a look. However, still not seeing a solution

http://answers.microsoft.com/en-us/windows/forum/windows_7-security/dcom-event-id-10009/6f4eefe6-7e4b-4baf-9896-4d0ef340e160

and

http://technet.microsoft.com/en-us/library/ms839040.aspx ---

They tell me to go under regedit--> RPC and then DCOM, there isn't a sub folder with that name there. I have clientProtocols, extensions, and security service. It also doesn't say what to do if I found it there. ( I am assuming I am finding this on my DC)

I go through the steps of the first link but my DC computer is already set to TCP/IP. I am assuming then it is good to go.

http://support.microsoft.com/kb/245197 --this has to do with 2000 and xp. Also is changing the protocols which it was already established correctly.

I looked through the search you sent but most of them were the same as the case above and weren't fruitful. I am looking around component services for some type of solution. Is there a way to view where the DCOM request come from? The only solution I can find right now, isn't a solution which is to put on DNS forwarders. I feel like this is a bad a ignoring the problem.

I am beginning to wonder if the certs it originally issued are trying to verify still. I might run a startup script to remove all personal certifications if I can't find a solution to the DCOM.
Avatar of TimMurp

ASKER

I figured out how to do DNS logging:

https://support.appriver.com/KB/a669/enable-dns-request-logging-for-windows-20032008.aspx

This is the cause of the error:

8/15/2012 12:58:23 PM 09F8 PACKET  00000000025B9210 UDP Rcv ::1             6836   Q [0001   D   NOERROR] A      (5)SUBCA(12)Headquarters(4)xxx(3)org(0)
UDP question info at 00000000025B9210
  Socket = 336
  Remote addr ::1, port 58633
  Time Query=9828926, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x002d (45)
  Message:
    XID       0x6836
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(5)SUBCA(12)Headquarters(4)xxxxx(3)org(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty


When this request happened for DNS the error appear in event viewer. I know ::1 is the loop back adapter for IPv6. However, I am unsure of what would cause this to be called. Any ideas?
Ideally the Ipv4 is used not sure about ipv6.

- Rancy
ASKER CERTIFIED SOLUTION
Avatar of TimMurp
TimMurp

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of TimMurp

ASKER

Not sure if this is the only way but I had to do it for another reason. It most likely is a benign issue to begin with.