Solved

DCom Error Messages  EventID 10009

Posted on 2014-03-28
3
2,202 Views
1 Endorsement
Last Modified: 2014-03-31
The error log on a server is showing an error every few minutes that indicates a connection cannot be made to server on the web.  WHOIS says the server is a google server.

The error reads:
DCOM was unable to communicate with the computer 74.125.224.72 using any of the configured protocols.

In tracing the process it is coming from process ID 768.  768 is Svchost.exe and is coming from the services  RpcSs and RpcEptMapper.    

Help says to open up port 135 in the firewall.   But researching this seems to be a bad idea since DCOM has been know to be a virus back door.    For the life of me, I don't know what this is trying to do and why would a google server need to communicate this way.

My questions are:
1)  Should the port be opened.
2)  Is there anyway to tell what this is trying to do?

Any insight would be appreciated.
1
Comment
Question by:HCSHAW
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39963709
Is there any chance that Chrome, Earth, or the Toolbar got installed?  All of them check for updates.
And no, I wouldn't open a port for a suspicious process.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39964373
Simply speaking, DCOM 10009 indicates that the DCOM client located on this <Computer Name> can’t communicate with the DCOM|COM+ server located on that <Target Computer  Name>.  local SCM COM activator is also called the RPCSS service.

There is past troubleshooting details shared - mostly remote server is offline or the comms btw the remote server is blocked at client or remote server end, can be any security device blocking esp those FW..secure by default this port is included

wearing the security hat, indeed DCOM port must be close especially if it s not used by any application but mostly legacy apps can be still using them, most of apps has shifted into the port 80 space ..that is another playground.

wearing the business hat, Microsoft did has something to say on securing the DCOM or COM+ service from a computer/application perspective such as restricting to least privileged and specify specific user account (instead of default system) to run this. Ideally, the account assigned only purpose is RPC related and for this case to facilitate the comms. Overall, the measures of lockdown attempts to reduce attack surface though..you can catch an hardening example (pdf) which is pretty step by step for their case and reference.

There is a technet of enabing host FW to allow DCOM/COM+ to pass through.

In summary, in order to make DCOM applications work in Windows Server 2008 you need to do two things. Installing the Application role is not needed (but it does add the COM+ network access as in below).

a. Allow "COM+ network access" in firewall rules (type firewall.cpl from a command prompt and on the left you'll see the setting). COM+ is somewhat of a misnomer since it is also for DCOM. COM+ Network Access is a preconfigured program in the exception list that you can just check off.

b. Add your DCOM server to the list of program exceptions in the firewall.
0
 

Author Closing Comment

by:HCSHAW
ID: 39966891
Thats the info I needed.  Thanks,...
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question