TimMurp
asked on
Trace DCOM
Event Viewer Error on DC Windows 2008 R2:
I am receiving the following error after the deletion of a Enterprise Sub CA. I went back through ADUC and cleaned it out follow the window's document but the error still appears 30+ times a day on my main Domain controller.
"DCOM was unable to communicate with the computer SUBCA.xxxxxxxxxxx.xxxxxx.o rg using any of the configured protocols."
Event ID: 10009
I want to figure out a way to see why the DCOM is attempting to contact the computer. I am thinking either there are computers on the network with certs that are still looking to confirm validity and contact the DC to contact the SubCA. Is there a way to track request? Any ideas of what could be causing the error to be thrown?
Thanks for any help!
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Di stributedC OM" Guid="{1B562E86-B7AA-4131- BADC-B6F3A 001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="49152">10009</ EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000 </Keywords >
<TimeCreated SystemTime="2012-08-14T13: 25:36.0000 00000Z" />
<EventRecordID>16371</Even tRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>DC.xxxxxxxxx.xxx xxx.org</C omputer>
<Security />
</System>
- <EventData>
<Data Name="param1">SUBCA.xxxxxx xxxx.xxxxx x.org</Dat a>
<Binary>3C5265636F72642331 3A20436F6D 7075746572 3D286E756C 6C293B5069 643D373030 3B382F3134 2F32303132 2031333A32 353A33363A 3233323B53 7461747573 3D31373232 3B47656E63 6F6D703D32 3B4465746C 6F633D3137 31303B466C 6167733D30 3B50617261 6D733D313B 7B50617261 6D23303A30 7D3E3C5265 636F726423 323A20436F 6D70757465 723D286E75 6C6C293B50 69643D3730 303B382F31 342F323031 322031333A 32353A3336 3A3233323B 5374617475 733D313732 323B47656E 636F6D703D 31383B4465 746C6F633D 313434323B 466C616773 3D303B5061 72616D733D 313B7B5061 72616D2330 3A53554243 412E486561 6471756172 746572732E 636665642E 6F72677D3E 3C5265636F 726423333A 20436F6D70 757465723D 286E756C6C 293B506964 3D3730303B 382F31342F 3230313220 31333A3235 3A33363A32 33323B5374 617475733D 313732323B 47656E636F 6D703D3138 3B4465746C 6F633D3332 323B466C61 67733D303B 506172616D 733D303B3E 3C5265636F 726423343A 20436F6D70 757465723D 286E756C6C 293B506964 3D3730303B 382F31342F 3230313220 31333A3235 3A33363A32 33323B5374 617475733D 3131303031 3B47656E63 6F6D703D31 383B446574 6C6F633D33 32303B466C 6167733D30 3B50617261 6D733D313B 7B50617261 6D23303A53 554243412E 4865616471 7561727465 72732E6366 65642E6F72 677D3E</Bi nary>
</EventData>
</Event>
I am receiving the following error after the deletion of a Enterprise Sub CA. I went back through ADUC and cleaned it out follow the window's document but the error still appears 30+ times a day on my main Domain controller.
"DCOM was unable to communicate with the computer SUBCA.xxxxxxxxxxx.xxxxxx.o
Event ID: 10009
I want to figure out a way to see why the DCOM is attempting to contact the computer. I am thinking either there are computers on the network with certs that are still looking to confirm validity and contact the DC to contact the SubCA. Is there a way to track request? Any ideas of what could be causing the error to be thrown?
Thanks for any help!
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Di
<EventID Qualifiers="49152">10009</
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2012-08-14T13:
<EventRecordID>16371</Even
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>DC.xxxxxxxxx.xxx
<Security />
</System>
- <EventData>
<Data Name="param1">SUBCA.xxxxxx
<Binary>3C5265636F72642331
</EventData>
</Event>
This article has some points to check
http://answers.microsoft.com/en-us/windows/forum/windows_7-security/dcom-event-id-10009/6f4eefe6-7e4b-4baf-9896-4d0ef340e160
http://technet.microsoft.com/en-us/library/ms839040.aspx
- Rancy
http://answers.microsoft.com/en-us/windows/forum/windows_7-security/dcom-event-id-10009/6f4eefe6-7e4b-4baf-9896-4d0ef340e160
http://technet.microsoft.com/en-us/library/ms839040.aspx
- Rancy
ASKER
Hi Rancy,
Thanks for taking a look. However, still not seeing a solution
http://answers.microsoft.com/en-us/windows/forum/windows_7-security/dcom-event-id-10009/6f4eefe6-7e4b-4baf-9896-4d0ef340e160
and
http://technet.microsoft.com/en-us/library/ms839040.aspx ---
They tell me to go under regedit--> RPC and then DCOM, there isn't a sub folder with that name there. I have clientProtocols, extensions, and security service. It also doesn't say what to do if I found it there. ( I am assuming I am finding this on my DC)
I go through the steps of the first link but my DC computer is already set to TCP/IP. I am assuming then it is good to go.
http://support.microsoft.com/kb/245197 --this has to do with 2000 and xp. Also is changing the protocols which it was already established correctly.
I looked through the search you sent but most of them were the same as the case above and weren't fruitful. I am looking around component services for some type of solution. Is there a way to view where the DCOM request come from? The only solution I can find right now, isn't a solution which is to put on DNS forwarders. I feel like this is a bad a ignoring the problem.
I am beginning to wonder if the certs it originally issued are trying to verify still. I might run a startup script to remove all personal certifications if I can't find a solution to the DCOM.
Thanks for taking a look. However, still not seeing a solution
http://answers.microsoft.com/en-us/windows/forum/windows_7-security/dcom-event-id-10009/6f4eefe6-7e4b-4baf-9896-4d0ef340e160
and
http://technet.microsoft.com/en-us/library/ms839040.aspx ---
They tell me to go under regedit--> RPC and then DCOM, there isn't a sub folder with that name there. I have clientProtocols, extensions, and security service. It also doesn't say what to do if I found it there. ( I am assuming I am finding this on my DC)
I go through the steps of the first link but my DC computer is already set to TCP/IP. I am assuming then it is good to go.
http://support.microsoft.com/kb/245197 --this has to do with 2000 and xp. Also is changing the protocols which it was already established correctly.
I looked through the search you sent but most of them were the same as the case above and weren't fruitful. I am looking around component services for some type of solution. Is there a way to view where the DCOM request come from? The only solution I can find right now, isn't a solution which is to put on DNS forwarders. I feel like this is a bad a ignoring the problem.
I am beginning to wonder if the certs it originally issued are trying to verify still. I might run a startup script to remove all personal certifications if I can't find a solution to the DCOM.
ASKER
I figured out how to do DNS logging:
https://support.appriver.com/KB/a669/enable-dns-request-logging-for-windows-20032008.aspx
This is the cause of the error:
8/15/2012 12:58:23 PM 09F8 PACKET 00000000025B9210 UDP Rcv ::1 6836 Q [0001 D NOERROR] A (5)SUBCA(12)Headquarters(4 )xxx(3)org (0)
UDP question info at 00000000025B9210
Socket = 336
Remote addr ::1, port 58633
Time Query=9828926, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x002d (45)
Message:
XID 0x6836
Flags 0x0100
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(5)SUBCA(12)Headquarters( 4)xxxxx(3) org(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty
When this request happened for DNS the error appear in event viewer. I know ::1 is the loop back adapter for IPv6. However, I am unsure of what would cause this to be called. Any ideas?
https://support.appriver.com/KB/a669/enable-dns-request-logging-for-windows-20032008.aspx
This is the cause of the error:
8/15/2012 12:58:23 PM 09F8 PACKET 00000000025B9210 UDP Rcv ::1 6836 Q [0001 D NOERROR] A (5)SUBCA(12)Headquarters(4
UDP question info at 00000000025B9210
Socket = 336
Remote addr ::1, port 58633
Time Query=9828926, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x002d (45)
Message:
XID 0x6836
Flags 0x0100
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(5)SUBCA(12)Headquarters(
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty
When this request happened for DNS the error appear in event viewer. I know ::1 is the loop back adapter for IPv6. However, I am unsure of what would cause this to be called. Any ideas?
Ideally the Ipv4 is used not sure about ipv6.
- Rancy
- Rancy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not sure if this is the only way but I had to do it for another reason. It most likely is a benign issue to begin with.
http://search.microsoft.com/results.aspx?mkt=en-US&setlang=en-US&q=DCOM+was+unable+to+communicate+with+the+computer+%1cServer+Name%1d
Check these articles and see if these can help.
- Rancy