DCOM Fun with SharePoint

One thing you will first notice in planning a MOSS install is the sheer number of service accounts used. Without proper planning, it is only going to result in a poor set up and most likely be insecure. Despite the complexity of having to learn what each service account is required for, MOSS2007 does a reasonable job in working in a restricted configuration. Properly configured, the majority of these accounts can run with minimal security privileges.

If you follow all the best practice guides, and religiously read Joel’s stuff, I would be preaching to the converted.

Anyhoo, there were some side effects with all of this which, when last I did it, were not in the official guides. Nothing major, but some annoying DCOM errors in the eventlogs. I didn’t even spend too much time working out which activity was causing them, but simply granted the minimal permissions required.

The config here was 2 WFE servers (intranet/extranet), one index/query server and 1 SQL cluster

All Web Front End Servers:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
User:
Computer: WEBSERVER1

Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user l SID (S-1-5-21-573225893-205518295-00000000000-00000). This security permission can be modified using the Component Services administrative tool.

Remedy:

  • Search the GUID in HKCR registry…
  • 61738644-F196-11D0-9953-00C04FD919C1
  • The service name for this key is “IIS WAMREG Admin Service”
  • Load DCOMCNFG, browse to My Computer -> ” DCOM Config”
  • Go to the properties of IIS WAMREG
  • The permission missing was “Local Activation” permissions for the user .
  • DATABASE SERVERS

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
User:
Computer: SQLCLUSTER1

Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {ABF05265-635E-44B0-A28F-AEA45247ACA0} to the user SID (S-1-5-21-573225893-205518295-3307690801-69150). This security permission can be modified using the Component Services administrative tool.

This event seems to occur at: 12:00AM, 6:00AM, 12:00PM and 8:00PM.

Note: This error will be related to a SharePoint timer job of some description, and thus, we need more permission that just the base SQL Server roles that were set up originally.

Remedy

  • The application for this CLSID is called “Microsoft.SqlServer.Dts.Server.DtsServer” in the registry.
  • Launch DCOMCNFG on SQL02 and SQL03. The DCOM name is MSDTSServer
  • Under security, choose to Edit “Launch and Activation Permissions”
  • Add the user to have local launch permissions
    EXTRANET WFE Server

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
User:
Computer: EXTRANET1

Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user SID (S-1-5-21-573225893-205518295-0000000000-00000). This security permission can be modified using the Component Services administrative tool.

Remedy:

  • Search the GUID in HKCR registry..
  • 61738644-F196-11D0-9953-00C04FD919C1
  • The service name for this key is IIS WAMREG Admin Service
  • Load DCOMCNFG, browse to My Computer -> ” DCOM Config”
  • Go to the properties of IIS WAMREG
  • The permission missing was “Local Activation” permissions for the user .
  • QUERY/INDEX SERVER

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
User:
Computer: INDEX01

Description:The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user SID (S-1-5-21-573225893-205518295-3307690801-00000). This security permission can be modified using the Component Services administrative tool.

Remedy:

  • Search the GUID in HKCR registry..
  • 61738644-F196-11D0-9953-00C04FD919C1
  • The service name for this key is IIS WAMREG Admin Service
  • Load DCOMCNFG, browse to My Computer -> ” DCOM Config”
  • Go to the properties of IIS WAMREG
  • The permission missing was “Local Activation” permissions for the user .

4 Comments on “DCOM Fun with SharePoint

  1. Thank’s very much!

    You are my God. I had the same problem and I resolve the problem with you help.

    Regards.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.