none
Event ID 10016 - DCOM Error on PS while different DPM (not selected) is trying to connect RRS feed

  • Question

  • Hi,

    we have event log DCOM issues on some protected servers.

    Environment:
    2x DPM 2010 (DPM01, DPM02)
    DPM02 protects the database of DPM02 and vice versa - no cross protection for protected servers.

    Protected server1 (PS01) is protected by DPM01 and backup runs smoothly.
    But in eventlog of PS01 very often following error appears:
    "The description for Event ID 10016 from source Microsoft-Windows-DistributedCOM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    application-specific
    Remote
    Activation
    {DA6AA17A-D61C-4E9C-8CEA-DB25DEA52A95}
    {2DF31D97-33CC-4966-8FF9-F47C90F7D0F3}
    <DOMAINNAME>
    DPM02$
    S-1-5-21-3240605545-1487839328-2192435096-115378
    192.168.1.1"

    I guess the error message could be:
    [...]The application-specific permission settings do not grant Remote Activation permission for the COM Server application with CLSID [...]
    [...]This security permission can be modified using the Component Services administrative tool[...]

    But why does DPM02 try to access PS01 although it is protected by DPM01?
    If it has something to do with cross protection (as mentioned: only DPM databases are cross protected) why does this message only appears on some servers?
    our SCOM team does not like errors in eventlog...

    In CurrLog of the DPM02 that does NOT (!) backup the PS01 one can find following entry:
    "WARNING CheckTimeoutMessage: code[0x00000101], detailedCode[0x80070005], errMgs[Zugriff verweigert (0x80070005)]
    WARNING [<?xml version="1.0" encoding="utf-16"?>
    WARNING <Status xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" StatusCode="-2147024891" Reason="Timeout" CommandInstanceID="cc781bae-9dcf-4783-8ade-e5913055bc38" CommandID="GetProperties" GuidWorkItem="1e890e9b-72e4-4bfa-b5f2-3afdd33a9c09" TETaskInstanceID="1e890e9b-72e4-4bfa-b5f2-3afdd33a9c09" xmlns="http://schemas.microsoft.com/2003/dls/StatusMessages.xsd">
    WARNING   <ErrorInfo ErrorCode="257" DetailedCode="-2147024891" DetailedSource="2" ExceptionDetails="" xmlns="http://schemas.microsoft.com/2003/dls/GenericAgentStatus.xsd">
    WARNING     <Parameter Name="servername" Value="PS01.domain.de" />
    WARNING   </ErrorInfo>
    WARNING </Status>].
    NORMAL FailTask[InstallListRefresh]
    NORMAL RaiseAgentUnreachableAlert serverName -> PS01.domain.de
    WARNING Task Diagnostic Information - <?xml version="1.0" encoding="utf-16"?>
    WARNING <TaskExecutionContext>
    WARNING   <AMServerName>PS01.domain.de</AMServerName>
    WARNING   <AMOsType>None</AMOsType>
    WARNING   <AMClusterName>
    WARNING   </AMClusterName>
    WARNING   <TEVerb>InstallListRefresh</TEVerb>
    WARNING   <TEErrorState>InstallListRefresh.AgentInstallStatusInquiring</TEErrorState>
    WARNING   <TEErrorDetails>&lt;?xml version="1.0" encoding="utf-16"?&gt;
    WARNING &lt;q1:ErrorInfo ErrorCode="1073742126" DetailedCode="-2147024891" DetailedSource="2" ExceptionDetails="" xmlns:q1="http://schemas.microsoft.com/2003/dls/GenericAgentStatus.xsd"&gt;
    WARNING   &lt;q1:Parameter Name="servername" Value="PS01.domain.de" /&gt;
    WARNING &lt;/q1:ErrorInfo&gt;</TEErrorDetails>
    WARNING </TaskExecutionContext>
    NORMAL Publishing event from TaskInstance.cs(825): TaskStop, [TaskID=1e890e9b-72e4-4bfa-b5f2-3afdd33a9c09]
    NORMAL Retrieving information for JobType for jobid a93756cb-2953-49e5-828f-e45f4aea2b28
    FATAL Task stopped (state=Failed, error=AMAgentAccessDenied; -2147024891; WindowsHResult), search "Task Diagnostic Information" for details.
    NORMAL FindAndExecuteReadyToExecuteTask : (job=a93756cb-2953-49e5-828f-e45f4aea2b28, taskId=5abf97a7-25d1-416e-8a22-6d223552c0e4) - Going to execute task as CheckTaskStatus returned ReadyToExecute
    NORMAL Retrieving a deployment for task[1e890e9b-72e4-4bfa-b5f2-3afdd33a9c09].
    NORMAL Setting up Fsm: verb[53603503-c4c8-4d0e-8f1e-d2f3868e51e3]
    NORMAL ExecuteTask(job=a93756cb-2953-49e5-828f-e45f4aea2b28) - Starting task instance
    WARNING ASSERT: (FileName:Deployment.cs; LineNumber:1545)
    WARNING AgentDeployment: bad column count in result set."

    Thanks in advance

    kind regards

    /bkpfast

     




    Monday, January 9, 2012 2:43 PM

Answers

  • Hi Wilson,

    I talked to one of our AD guys - he said generally all objects are the same it is just a different icon.
    As a "normal" admin one cannot change that icon - install routines can... So it seems that it is done by DPM.
    So I just tried adding the DPM02 computer account(although it was not there before!) - it seems to work.
    There are no DCOM security related error messages in eventlog anymore.

    The problem is that that that DPM02 was not in the list before and many other servers in our environment  are configured exactly the same (only the "active" backup server DPM01 is in the list) and we do not get those errors there.

    So although the workaround seems to work we need an official statement that it is recommended to add additional servers to the Launch and Activation Permissions list of the DPMRAService DCOM object.

    If it is not possible in this context I will open a support call I think.

    regards

    /bkpfast

     

    • Marked as answer by bkpfast Wednesday, February 1, 2012 10:25 AM
    Wednesday, January 18, 2012 2:52 PM

All replies

  • Yes,

    When you started doing DPMDB protection between these DPM servers, both got a list of all servers each other are protecting and these servers goes to the agent refresh job.

    Go to Component Services (dcomcnfg.exe)

    Expand Component Services -> Computers -> My COmputer -> DCOM Config.

    Search for DPM RA Service. Right click on it and select Properties. Go to Security Tab and click on Edit.

    If DPM02 is part of the list, remove and add it again.


    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights
    Wednesday, January 11, 2012 6:45 AM
  • Hi Wilson,

    thank you very much for your reply!
    I checked security permissions for the servers protected by DPM01 - all of them only have one entry -> 'DPM01$!, seems to be a user account.
    When searching for DPM02 I can only find a Computer Account - no user account.
    And additionally the security entries look the same for all protected servers but only some have those problems.

    What can I check else?
    Shall I add the Computer Account of DPM02 to the list?

    Thank you.

    kind regards

    /bkpfast

    Wednesday, January 11, 2012 2:10 PM
  • Hello?
    Tuesday, January 17, 2012 8:10 AM
  • Not sure if this could be a problem.

    The icon on my system shows as user account (even thoug this is a computer object).

    In one of these protected servers can you remove and add DPM02 back under DCOMCNFG (certify all options are set to allow)?


    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights
    Tuesday, January 17, 2012 8:17 AM
  • Hi Wilson,

    I talked to one of our AD guys - he said generally all objects are the same it is just a different icon.
    As a "normal" admin one cannot change that icon - install routines can... So it seems that it is done by DPM.
    So I just tried adding the DPM02 computer account(although it was not there before!) - it seems to work.
    There are no DCOM security related error messages in eventlog anymore.

    The problem is that that that DPM02 was not in the list before and many other servers in our environment  are configured exactly the same (only the "active" backup server DPM01 is in the list) and we do not get those errors there.

    So although the workaround seems to work we need an official statement that it is recommended to add additional servers to the Launch and Activation Permissions list of the DPMRAService DCOM object.

    If it is not possible in this context I will open a support call I think.

    regards

    /bkpfast

     

    • Marked as answer by bkpfast Wednesday, February 1, 2012 10:25 AM
    Wednesday, January 18, 2012 2:52 PM
  • When you create DPM primary/secondary relationship The protected server should have on its DCOM list both DPM servers.

    The reason for that is to allow you switch protection at any time and at the point the secondary DPM server should be able continue protection.

    From your scenario, DPM2 was dropped out from the DCOM permission list or it failed to be added in the first place.

     


    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights
    Wednesday, January 18, 2012 6:28 PM
  • Hi Wilson,

    hm....
    We have got 12 DPM servers and we use cross protection on all of them but only for the DPM databases.
    None of the(several hundred) protected servers has an additional entry in the DCPM security list for the other DPM server but only on some we have the problem with DCOM error in eventlog.

    Most of the servers do not show that error although there is only one DPM in the permissions list.

    kind regards

    /bkpfast

     

    Monday, January 23, 2012 10:31 AM
  • Any update to this?  We have the same error and adding the computer object for the secondary DPM computer account resolves the DCOM issue but all my other servers only show one DPM in the permissions list.


    Jeremy Schaffer

    Tuesday, August 14, 2012 7:38 PM
  • i added my secondary dpm server to this list (it was the computer account dpm2$)  i could not get the user account like a post above.  I want to ask a question.  how does this information get populated normally.   for example, i was getting the dcom event from our file2 server.  but our file1 server was not getting the event.  after looking at the dcom config for the dpm ra service, i see that out file1 had the dpm1$ and dpm$ user accounts populated.  the file2 server had only dpm1$.  i would like to know what circumstances lead to both dpmX$ accounts being on one, but only a single dpmX$ account being on the others.

    we have about 60 servers all but 7 seem to have only the one dpmX$ account.

    thanks in advance.

    Ian


    Ian

    Friday, March 1, 2013 7:49 PM
  • i am adding this reply once more, incase it is missed above.

    ____________________________________________________

    i added my secondary dpm server to this list (it was the computer account dpm2$)  i could not get the user account like a post above.  I want to ask a question.  how does this information get populated normally.   for example, i was getting the dcom event from our file2 server.  but our file1 server was not getting the event.  after looking at the dcom config for the dpm ra service, i see that out file1 had the dpm1$ and dpm$ user accounts populated.  the file2 server had only dpm1$.  i would like to know what circumstances lead to both dpmX$ accounts being on one, but only a single dpmX$ account being on the others.

    we have about 60 servers all but 7 seem to have only the one dpmX$ account.

    thanks in advance.

    Ian


    Ian

    Friday, March 1, 2013 7:52 PM
  • Hi,

    not a very smart solution:

    "In COM security tab select Edit Limits under Launch and Activation Permissions. Granted Access for Everyone for Remote Launch"

    regards

    /bkpfast


    My postings are provided "AS IS" with no warranties and confer no rights

    Monday, March 4, 2013 12:44 PM
  • Awesome!  It worked for me!
    Thursday, December 10, 2015 5:20 PM