none
DCOM Error (Event 10006)

    General discussion

  • Hi there, hope you can help.

    We have a server running SBS 2003 SP2, which at 4pm everyday receives the following error in the event logs:

    Event Type: Error
    Event Source: DCOM
    Event Category: None
    Event ID: 10006
    Date:  23/04/2012
    Time:  16:04:12
    User:  N/A
    Computer: SERVER
    Description:
    DCOM got error "General access denied error " from the computer 192.168.*.** when attempting to activate the server:
    {8BC3F05E-D86B-11D0-A075-00C04FB68820}

    This is followed by an MRxSmb error (event 8003) stating:

    Event Type: Error
    Event Source: MRxSmb
    Event Category: None
    Event ID: 8003
    Date:  23/04/2012
    Time:  16:15:02
    User:  N/A
    Computer: SERVER
    Description:
    The master browser has received a server announcement from the computer ***** that believes that it is the master browser for the domain on transport NetBT_Tcpip_{646DE0D4-CD8C-4BE1-B4. The master browser is stopping or an election is being forced.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 03 00 4e 00   ......N.
    0008: 00 00 00 00 43 1f 00 c0   ....C..À
    0010: 00 00 00 00 00 00 00 00   ........
    0018: 0c 00 00 00 00 00 00 00   ........
    0020: 00 00 00 00 00 00 00 00   ........

    At this time, the customer loses connectivity to the server (and potentially internet access, though they will be checking this next time it goes down). We are their broadband provider in addition to being their IT Support, and we are not showing any faults on the internet side that would be causing any network dropouts (we have replaced the router for a brand new model as a matter of course, although this has not fixed the issue).

    If someone is able to shed some light on this, it would be greatly appreciated!


    Adam Graham

    Tuesday, April 24, 2012 7:46 AM

All replies

  • Hello,

    I beleive the GUID {8BC3F05E-D86B-11D0-A075-00C04FB68820} is the CLSID for WMI.

    To me, it looks like the workstation is trying to ask the server what services it provides, using WMI. It is using a non administrator level account and being denied access.

    For some reason, this machine then believes it is the best machine to be the computer browser master (If the partial IP address you supply and the ***** in the second error indicate the same PC). At this point I suspect it's network route table and browser list fails, and the PC basically disowns the network, trusting itself over the settings from the network.

    Is the PC getting it's IP and DNS via DHCP from the SBS server ?

    At 4 pm, is there anything in the PC eventlog (Application, system). Are there any scheduled tasks ?


    Michael Jenkin (Mickyj) www.mickyj.com (Community website) - SBS MVP (2004 - 2008) *5 times Microsoft MVP award winner *Previously MacWorld Australia contributer *Previously APAC Vice Chairman Culminis (Pro IT User group support system)* APAC chairman GITCA *Director Business Technology Partners, Microsoft Small Business Specialist, SMB150 2012 Member

    Tuesday, April 24, 2012 9:46 AM
  • Hi,

    We disabled the Computer Browser Service (on both PC's) and this has stoppped the second event in the log (MRxSmb: 8003), but the initial event and drop of network is still occurring on 2 seperate PC's.

    Its IP is set statically.

    Nothing untoward in the scheduled tasks running near the time.

    In the event log:

    SecurityCenter: 1802

    The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

    AutoEnrollment: 15

    Automatic certificate enrollment for local system failed to contact the active directory (0x8007003a).  The specified server cannot perform the requested operation.

      Enrollment will not be performed.

    Usernev: 1053

    Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.


    Adam Graham

    Tuesday, April 24, 2012 3:34 PM
  • System Log:

    Netlogon Event: 5719

    No Domain Controller is available for domain GTE due to the following:

    The RPC server is unavailable. .

    Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.


    Adam Graham

    Tuesday, April 24, 2012 3:38 PM
  • Hello,

    The Browser service is needed if the user at the PC is ever likely to browse the network for servers etc (And other features).

    What OS is on the workstations that are failing to connect ?

    Is the DNS set to point to the SBS Server? Does it happen when IP is set via DHCP ? 


    Michael Jenkin (Mickyj) www.mickyj.com (Community website) - SBS MVP (2004 - 2008) *5 times Microsoft MVP award winner *Previously MacWorld Australia contributer *Previously APAC Vice Chairman Culminis (Pro IT User group support system)* APAC chairman GITCA *Director Business Technology Partners, Microsoft Small Business Specialist, SMB150 2012 Member

    Wednesday, April 25, 2012 1:30 AM
  • So we should re-enable the Computer Browser Server? should it be manual or auto?

    The OS is XP

    DNS is set to the server.

    I will set IPs to DHCP assigned now and see if the issue arises at 4pm.


    Adam Graham


    • Edited by adamjkg Wednesday, April 25, 2012 8:09 AM
    Wednesday, April 25, 2012 8:06 AM
  • The computer browser service function will not cause a major issue however, I would turn it back on.

    It is normal for networks to hold browser elections.

    As you have mentioned that this is XP, is the Remote Procedure Call (RPC) service set to automatic and is it started (on the workstations). Is the Remote Procedure Call (RPC) locator set to Manual ?


    Michael Jenkin (Mickyj) www.mickyj.com (Community website) - SBS MVP (2004 - 2008) *5 times Microsoft MVP award winner *Previously MacWorld Australia contributer *Previously APAC Vice Chairman Culminis (Pro IT User group support system)* APAC chairman GITCA *Director Business Technology Partners, Microsoft Small Business Specialist, SMB150 2012 Member

    Wednesday, April 25, 2012 8:38 AM
  • Thats correct, the RPC Service is set to automatic on the local machine and started, and the RPC Locator is set to manual (however it was not started by default). Should this be set to automatic?

    Additionally, since adding the DHCP reservation and setting the machines to auto assign their IP, the connection still drops but only for a couple of minutes at 4pm instead of requiring a reboot as it did in the past. We're getting closer it seems! Although we're still receiving the same DCOM error (one for each of the machines connected to the server, 30ish seconds apart) in the event logs


    Adam Graham

    Friday, April 27, 2012 8:35 AM
  • On the workstation end, can you look for errors in the eventlog about 4 pm ?

    Are there any scheduled tasks at 4 pm on the server?

    Does anything else around the office happen at 4pm?


    Michael Jenkin (Mickyj) www.mickyj.com (Community website) - SBS MVP (2004 - 2008) *5 times Microsoft MVP award winner *Previously MacWorld Australia contributer *Previously APAC Vice Chairman Culminis (Pro IT User group support system)* APAC chairman GITCA *Director Business Technology Partners, Microsoft Small Business Specialist, SMB150 2012 Member

    Saturday, April 28, 2012 1:01 AM
  • Hi Adam, have you resolved the issue? If not, please feel free to let us know, thanks.

    Sean Zhu

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Sean Zhu

    TechNet Community Support

    Tuesday, May 01, 2012 5:27 AM
    Moderator
  • Thanks for the input guys.

    Firstly, the message i posted above on Tuesday, April 24, 2012 3:34 PM was the message the local machine is receiving. i will check again at 4pm today to see what the event logs are doing.

    Another diagnostic we are trying is running Wireshark on the server and local machine from 3:50pm to 4:10pm and monitor the subsequent logs to see if there's anything noticeable which kicks the local machine off the network. Just to note, the server does not lose it's network connection (e.g from external RDP onto server, then through the server RDP onto the local machine. The local machine connection drops, however the RDP to server is still live)


    Adam Graham

    Wednesday, May 02, 2012 8:28 AM
  • It sounds like name resolution drops however, I am not so sure IP and established port access is dropped.

    When this next occurs, can you try a ping by IP address to a known machine (e.g. a router or printer) and then try to ping the server ?

    can you also try and ping by the Netbios (short name) of the server and the Fully Qualified Domain name (FQDN).

    E.G "ping server" and "ping server.domain.local"


    Michael Jenkin (Mickyj) www.mickyj.com (Community website) - SBS MVP (2004 - 2008) *5 times Microsoft MVP award winner *Previously MacWorld Australia contributer *Previously APAC Vice Chairman Culminis (Pro IT User group support system)* APAC chairman GITCA *Director Business Technology Partners, Microsoft Small Business Specialist, SMB150 2012 Member

    Wednesday, May 02, 2012 9:42 AM
  • A bit older thread, but I am assuming that some people might find this so...

    The problem is that the server wants to activate the WMI on the remote computer but cant. The solution in this case is to allow WMI activation/access on the machine's firewall.

    use the following command:

    On WinXP
    Netsh firewall set service RemoteAdmin enabled

    On Win7
    netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes


    SelfMan

    Thursday, January 03, 2013 5:40 AM