Trace DCOM

Posted on 2012-08-14
Last Modified: 2013-02-18
Event Viewer Error on DC Windows 2008 R2:

I am receiving the following error after the deletion of a Enterprise Sub CA. I went back through ADUC and cleaned it out follow the window's document but the error still appears 30+ times a day on my  main Domain controller.

"DCOM was unable to communicate with the computer using any of the configured protocols."
Event ID: 10009

I want to figure out a way to see why the DCOM is attempting to contact the computer. I am thinking either there are computers on the network with certs that are still looking to confirm validity and contact the DC to contact the SubCA. Is there a way to track request? Any ideas of what could be causing the error to be thrown?

Thanks for any help!

- <Event xmlns="">
- <System>
  <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
  <EventID Qualifiers="49152">10009</EventID>
  <TimeCreated SystemTime="2012-08-14T13:25:36.000000000Z" />
  <Correlation />
  <Execution ProcessID="0" ThreadID="0" />
  <Security />
- <EventData>
  <Data Name="param1"></Data>
Question by:TimMurp
    LVL 52

    Expert Comment

    LVL 52

    Expert Comment


    Author Comment

    Hi Rancy,

    Thanks for taking a look. However, still not seeing a solution

    and ---

    They tell me to go under regedit--> RPC and then DCOM, there isn't a sub folder with that name there. I have clientProtocols, extensions, and security service. It also doesn't say what to do if I found it there. ( I am assuming I am finding this on my DC)

    I go through the steps of the first link but my DC computer is already set to TCP/IP. I am assuming then it is good to go. --this has to do with 2000 and xp. Also is changing the protocols which it was already established correctly.

    I looked through the search you sent but most of them were the same as the case above and weren't fruitful. I am looking around component services for some type of solution. Is there a way to view where the DCOM request come from? The only solution I can find right now, isn't a solution which is to put on DNS forwarders. I feel like this is a bad a ignoring the problem.

    I am beginning to wonder if the certs it originally issued are trying to verify still. I might run a startup script to remove all personal certifications if I can't find a solution to the DCOM.

    Author Comment

    I figured out how to do DNS logging:

    This is the cause of the error:

    8/15/2012 12:58:23 PM 09F8 PACKET  00000000025B9210 UDP Rcv ::1             6836   Q [0001   D   NOERROR] A      (5)SUBCA(12)Headquarters(4)xxx(3)org(0)
    UDP question info at 00000000025B9210
      Socket = 336
      Remote addr ::1, port 58633
      Time Query=9828926, Queued=0, Expire=0
      Buf length = 0x0fa0 (4000)
      Msg length = 0x002d (45)
        XID       0x6836
        Flags     0x0100
          QR        0 (QUESTION)
          OPCODE    0 (QUERY)
          AA        0
          TC        0
          RD        1
          RA        0
          Z         0
          CD        0
          AD        0
          RCODE     0 (NOERROR)
        QCOUNT    1
        ACOUNT    0
        NSCOUNT   0
        ARCOUNT   0
        Offset = 0x000c, RR count = 0
        Name      "(5)SUBCA(12)Headquarters(4)xxxxx(3)org(0)"
          QTYPE   A (1)
          QCLASS  1

    When this request happened for DNS the error appear in event viewer. I know ::1 is the loop back adapter for IPv6. However, I am unsure of what would cause this to be called. Any ideas?
    LVL 52

    Expert Comment

    Ideally the Ipv4 is used not sure about ipv6.

    - Rancy

    Accepted Solution

    Rebuilt my DC and the error no longer appears.

    Author Closing Comment

    Not sure if this is the only way but I had to do it for another reason. It most likely is a benign issue to begin with.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now