Solved

DCom Error Messages  EventID 10009

Posted on 2014-03-28
3
2,010 Views
1 Endorsement
Last Modified: 2014-03-31
The error log on a server is showing an error every few minutes that indicates a connection cannot be made to server on the web.  WHOIS says the server is a google server.

The error reads:
DCOM was unable to communicate with the computer 74.125.224.72 using any of the configured protocols.

In tracing the process it is coming from process ID 768.  768 is Svchost.exe and is coming from the services  RpcSs and RpcEptMapper.    

Help says to open up port 135 in the firewall.   But researching this seems to be a bad idea since DCOM has been know to be a virus back door.    For the life of me, I don't know what this is trying to do and why would a google server need to communicate this way.

My questions are:
1)  Should the port be opened.
2)  Is there anyway to tell what this is trying to do?

Any insight would be appreciated.
1
Comment
Question by:HCSHAW
3 Comments
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39963709
Is there any chance that Chrome, Earth, or the Toolbar got installed?  All of them check for updates.
And no, I wouldn't open a port for a suspicious process.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39964373
Simply speaking, DCOM 10009 indicates that the DCOM client located on this <Computer Name> can’t communicate with the DCOM|COM+ server located on that <Target Computer  Name>.  local SCM COM activator is also called the RPCSS service.

There is past troubleshooting details shared - mostly remote server is offline or the comms btw the remote server is blocked at client or remote server end, can be any security device blocking esp those FW..secure by default this port is included

wearing the security hat, indeed DCOM port must be close especially if it s not used by any application but mostly legacy apps can be still using them, most of apps has shifted into the port 80 space ..that is another playground.

wearing the business hat, Microsoft did has something to say on securing the DCOM or COM+ service from a computer/application perspective such as restricting to least privileged and specify specific user account (instead of default system) to run this. Ideally, the account assigned only purpose is RPC related and for this case to facilitate the comms. Overall, the measures of lockdown attempts to reduce attack surface though..you can catch an hardening example (pdf) which is pretty step by step for their case and reference.

There is a technet of enabing host FW to allow DCOM/COM+ to pass through.

In summary, in order to make DCOM applications work in Windows Server 2008 you need to do two things. Installing the Application role is not needed (but it does add the COM+ network access as in below).

a. Allow "COM+ network access" in firewall rules (type firewall.cpl from a command prompt and on the left you'll see the setting). COM+ is somewhat of a misnomer since it is also for DCOM. COM+ Network Access is a preconfigured program in the exception list that you can just check off.

b. Add your DCOM server to the list of program exceptions in the firewall.
0
 

Author Closing Comment

by:HCSHAW
ID: 39966891
Thats the info I needed.  Thanks,...
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now