DCOM Errors 10009 - Trying to communicate with non-windows devices.

I'm getting repeated DCOM errors on my SBS 2011 server for one client.  It's the one everyone sees I'm sure:
"DCOM was unable to communicate with the computer <ip address> using any of the configured protocols."
The thing that boggles me, is that is the sonicwall TZ-210 firewall, so why is DCOM even trying to talk to it?  More importantly how do I make it stop?

I get the same error only pointing at the LINUX based Asterisk phone server on a different VLAN.
DigiSecAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Radhakrishnan RSenior Technical LeadCommented:
Hi,

Are you getting the CLSID? if so, find out the component from registry. Start>>run>>regedit>>Expand HKEY_ROOT_CLASES>>Click on CLSID>>Find for the specific CLSID. you will get the component name.

Once you noticed the compoenent name, go to start>>run>>dcomcnfg>>expand computers>>DCOM Configurations>>Right click on the component and properties>>Make sure that "Everyone" or "All computers" (specific computer) full control is applied.

If the component is no longer required, delete the registry key, so that the DCOM error no longer appears.
0
Blue Street TechLast KnightCommented:
Hi DigiSec,
The thing that boggles me, is that is the sonicwall TZ-210 firewall, so why is DCOM even trying to talk to it?
Are you saying that in the SBS logs you are seeing the IP address in the the logs as being the SonicWALLs? Please confirm.

This issue occurs because of variable factors.

Let's talk about setup...

"Do you have DHCP running on your server or the router?  It really wants to be on the server.  Please see http://sbsurl.com/dhcp (bottom of that page) for how to restore it back to the server.

Then... did you join your workstations to the domain using the proper SBS method with http://<servername>/connectcomputer?  If not, you'll have to correct that by following these steps on each client workstation:

At the client machine:
1.  Log in with THAT machine's LOCAL administrator account.
2.  Unjoin the domain into a WORKGROUP
3.  Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5.  Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6.  Reboot

Then on the server, from the Server Management Console:
1.  Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2.  Add the client with it's NEW name using the Add Computer wizard

Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://<servername>/connectcomputer"

REF: PAQ http:Q_22162074.html#a18519755


Then if issue still persists, check these threads and resolutions below.

1. COM Service Availability & Windows Firewall - http://technet.microsoft.com/en-us/library/cc774368%28WS.10%29.aspx

1.a. Windows Firewall Rules - http://msmvps.com/blogs/bradley/archive/2009/11/28/dcom-was-unable-to-communicate-with-the-computer.aspx

2. Verify Reg entry for RPC protocols - http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.0&EvtID=10009&EvtSrc=DCOM&LCID=1033

3. Old entries (servers, printers) & Monitoring Software - http://kb.monitorware.com/topic-t538.html

4. Old entries in the DNS - http://www.eventid.net/display.asp?eventid=10009&eventno=579&source=DCOM&phase=1

Let me know how it goes!
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DigiSecAuthor Commented:
Are you getting the CLSID? if so, find out the component from registry.

No CLSID, the message I posted is the entirety of the error.  Looking in the XML Details however I do find a GUID, which resolves back to %systemroot%\system32\oleres.dll

Adding that into the mix, brings me to a TechNet article with the precise error I'm receiving, but a different circumstance.

http://social.technet.microsoft.com/Forums/en-US/58d40f97-3c61-4c78-96d4-8aec79395e4f/dcom-event-id-10009-on-sbs2008-box

There was no solution.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

DigiSecAuthor Commented:
@DiverseIT -
Are you saying that in the SBS logs you are seeing the IP address in the the logs as being the SonicWALLs? Please confirm.
Yes, the IP address that DCOM is reporting an error on is the IP address of the sonicwall, as well as a copier/printer and an asterisk phone server.  None of those ips were ever used by a windows machine.

"Do you have DHCP running on your server or the router?  It really wants to be on the server.  Please see http://sbsurl.com/dhcp (bottom of that page) for how to restore it back to the server.

This is SBS :)  DHCP is running on the server, always has been.

Then... did you join your workstations to the domain using the proper SBS method with http://<servername>/connectcomputer?
Yes, all systems were joined to the SBS domain in the prescribed manner using the http://companyname/connectcomputer url in order to ensure that the SBS client (specifically fax drivers) were installed and configured properly

I do not have an opportunity to go through the links you provided right now, but will later in the day and will respond.

Thanks for your time!
0
Blue Street TechLast KnightCommented:
Sounds good. Yes, what the other links (now copied below) talk about should help you especially with the other devices.

1. COM Service Availability & Windows Firewall - http://technet.microsoft.com/en-us/library/cc774368%28WS.10%29.aspx

1.a. Windows Firewall Rules - http://msmvps.com/blogs/bradley/archive/2009/11/28/dcom-was-unable-to-communicate-with-the-computer.aspx

2. Verify Reg entry for RPC protocols - http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.0&EvtID=10009&EvtSrc=DCOM&LCID=1033

3. Old entries (servers, printers) & Monitoring Software - http://kb.monitorware.com/topic-t538.html

4. Old entries in the DNS - http://www.eventid.net/display.asp?eventid=10009&eventno=579&source=DCOM&phase=1

I also found this DCOM error related to SonicWALL interesting but it's a different error 10001-10004 rather than 10009. Are you running Managed AV or Enforced Client Anti-Virus & Anti-Spyware Software or SSO from the SonicWALL? The idea being do you have something in play that extends from the SonicWALL like these services? https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=8440

Let me know how it goes!
0
DigiSecAuthor Commented:
Well, I ran through the links, 1 and 1.a seem to apply more to Windows Firewall on a client PC blocking the DCOM traffic, then DCOM trying to talk to a hardware firewall, I enabled the rules anyway for good measure. (shouldn't make a difference since the windows firewall is off in the domain profile)

2. I did verify the RPC protocols - again this seems to be more of an issue on a windows client

3. Straight up doesn't apply, no IPX/SPX, no windows XP etc

4. *possible* but unlikely, Scavenging was set to a long value on the DNS server, however the devices that are being reported are statically addressed and not in the DHCP scope.  This would be an issue if for example DCOM was trying to talk to a laptop that had changed IP addresses when moving from the wired to wireless network.  If the old address was not scavenged out of the DNS server, that stale record may be resolved and DCOM will fail.  I enabled scavenging of DNS but again - I really don't think this is it.

The final issue from the sonicwall site, again sadly doesn't apply.  None of the DPI services, gateway antivirus or other extended services are enabled, licensed or running on the sonicwall.

I will let it run overnight and see if there is any change in the morning.  Incidentally I also did remove the HP Nic Teaming driver (it wasn't in use and is suspected in a GPO timeout error that is also happening).  It's *possible* but again unlikely that this will have any impact either.
0
Blue Street TechLast KnightCommented:
Thanks for the update. This is an odd one. After realizing it was the firewall...it came down to shooting in the dark. I've never seen something like this with the firewall in the mix of a DCOM error.

Let me know how it goes in the morning.

P.S. I've added some more Zones to this question in effort to get more Experts to weigh-in on this one.
0
Cris HannaSr IT Support EngineerCommented:
The SBS product Team wrote a great blog piece on this for SBS 2008 but the same applies
http://blogs.technet.com/b/sbs/archive/2008/08/26/known-post-installation-event-errors-in-sbs-2008-and-how-to-resolve-them.aspx
0
DigiSecAuthor Commented:
Thanks for the support.  There were no errors overnight, but interestingly I see a pattern emerging, the errors are clustered around 5:00 PM and 8:00 PM every night for the last couple of weeks. (beginning on 9/17).

I will look to see if there was a change made around that time (patch/hotfix etc)
0
Blue Street TechLast KnightCommented:
Sounds good. Let me know if you find anything.
0
DigiSecAuthor Commented:
Well, the 5:00 PM cycle still hit the same errors.  I've gone back through install logs, and nothing was installed on the 16th or 17th to cause this to start.  

I suspected perhaps my RMM agent but that was installed on the 11th, and completed the onboarding process on the 12th.  The next patches and updates install didn't happen until the 19th - so I'm at a dead end there.
0
Blue Street TechLast KnightCommented:
Same here. :\

 You may want to put in a call to SonicWALL to see if they can shed some light. And if it gets critical MSFT will solve it for $250.
0
DigiSecAuthor Commented:
I will award partial points because it was helpful - this isn't specifically resolved, although the feedback was to check all the right things
0
Blue Street TechLast KnightCommented:
Understandable! Thanks for the explanation.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.