DCOM Fun with SharePoint
One thing you will first notice in planning a MOSS install is the sheer number of service accounts used. Without proper planning, it is only going to result in a poor set up and most likely be insecure. Despite the complexity of having to learn what each service account is required for, MOSS2007 does a reasonable job in working in a restricted configuration. Properly configured, the majority of these accounts can run with minimal security privileges.
If you follow all the best practice guides, and religiously read Joel’s stuff, I would be preaching to the converted.
Anyhoo, there were some side effects with all of this which, when last I did it, were not in the official guides. Nothing major, but some annoying DCOM errors in the eventlogs. I didn’t even spend too much time working out which activity was causing them, but simply granted the minimal permissions required.
The config here was 2 WFE servers (intranet/extranet), one index/query server and 1 SQL cluster
All Web Front End Servers:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
User:
Computer: WEBSERVER1
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user l SID (S-1-5-21-573225893-205518295-00000000000-00000). This security permission can be modified using the Component Services administrative tool.
Remedy:
- Search the GUID in HKCR registry…
- 61738644-F196-11D0-9953-00C04FD919C1
- The service name for this key is “IIS WAMREG Admin Service”
- Load DCOMCNFG, browse to My Computer -> ” DCOM Config”
- Go to the properties of IIS WAMREG
- The permission missing was “Local Activation” permissions for the user .
DATABASE SERVERS
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
User:
Computer: SQLCLUSTER1
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {ABF05265-635E-44B0-A28F-AEA45247ACA0} to the user SID (S-1-5-21-573225893-205518295-3307690801-69150). This security permission can be modified using the Component Services administrative tool.
This event seems to occur at: 12:00AM, 6:00AM, 12:00PM and 8:00PM.
Note: This error will be related to a SharePoint timer job of some description, and thus, we need more permission that just the base SQL Server roles that were set up originally.
Remedy
- The application for this CLSID is called “Microsoft.SqlServer.Dts.Server.DtsServer” in the registry.
- Launch DCOMCNFG on SQL02 and SQL03. The DCOM name is MSDTSServer
- Under security, choose to Edit “Launch and Activation Permissions”
- Add the user to have local launch permissions
- EXTRANET WFE Server
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
User:
Computer: EXTRANET1
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user SID (S-1-5-21-573225893-205518295-0000000000-00000). This security permission can be modified using the Component Services administrative tool.
Remedy:
- Search the GUID in HKCR registry..
- 61738644-F196-11D0-9953-00C04FD919C1
- The service name for this key is IIS WAMREG Admin Service
- Load DCOMCNFG, browse to My Computer -> ” DCOM Config”
- Go to the properties of IIS WAMREG
- The permission missing was “Local Activation” permissions for the user .
QUERY/INDEX SERVER
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
User:
Computer: INDEX01
Description:The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user SID (S-1-5-21-573225893-205518295-3307690801-00000). This security permission can be modified using the Component Services administrative tool.
Remedy:
- Search the GUID in HKCR registry..
- 61738644-F196-11D0-9953-00C04FD919C1
- The service name for this key is IIS WAMREG Admin Service
- Load DCOMCNFG, browse to My Computer -> ” DCOM Config”
- Go to the properties of IIS WAMREG
- The permission missing was “Local Activation” permissions for the user .
May 15th, 2008 at 3:09 pm |
hi to more detail to solve this error
click here
http://www.sharepointlions.blogspot.com
May 20th, 2008 at 3:51 am |
Thank’s very much!
You are my God. I had the same problem and I resolve the problem with you help.
Regards.
July 19th, 2008 at 6:41 pm |
[…] farm server, over and above what it minimally needs (which is some SQL Server rights and some DCOM permission stuff). For what it’s worth, I do not use the Network Service account either, as it is […]
January 12th, 2009 at 7:45 pm |
[…] it by reading this or this. Possibly related posts: (automatically generated)Using SharePoint Request Access […]
January 27th, 2009 at 7:10 am |
[…] http://www.cleverworkarounds.com/2007/10/25/dcom-fun-with-sharepoint/ […]
March 27th, 2009 at 2:34 am |
[…] The Application Log of my VM was defiled by actual errors! It was SharePoint trying to log into my SQL Server 2008 instance but it wasn’t ‘ready’ to accept connections… I strongly suspect that SharePoint services will try to access the database during system startup and shutdown—when services SPTimerV3, SPTrace, SPAdmin and SPSearch are set to start automatically. What’s a dangerous possibility is that SharePoint might try to write to the database during a system shutdown. The 2008 SQL instance might ‘abandon’ SharePoint, leaving it to perhaps damage the disk with its unmanaged, wild-ass DCOM parts. […]
April 26th, 2009 at 4:36 am |
Thanks for the fix on the DCOM errors. Worked! -j
December 17th, 2009 at 8:16 pm |
http://www.wictorwilen.se/Post/Fix-the-SharePoint-DCOM-10016-error-on-Windows-Server-2008-R2.aspx
Here’s further info to fix this error on Server 2008 R2