Thursday, 29 October 2009

DCOM error 10016 with SharePoint 2010 on Windows Server 2008 R2

This used to happen with MOSS 2007 on Server 2003 too, so I wasn’t that concerned… Usual process of finding the CLSID in the Registry and changing the permissions using the Component services snap-in… Or so I thought…

 

Here is the error:

 

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          29/10/2009 11:52:52
Event ID:      10016
Task Category: None
Level:         Error
Keywords:      Classic
User:          CORPNET\_SP_Farm
Computer:      SP2010TP.CORPNET.beta
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1}
and APPID
{61738644-F196-11D0-9953-00C04FD919C1}
to the user CORPNET\_SP_Farm SID (S-1-5-21-1469829728-1532128048-1498870291-1109) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
Event Xml:
<Event xmlns="
http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
    <EventID Qualifiers="49152">10016</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-10-29T11:52:52.000000000Z" />
    <EventRecordID>2246</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>SP2010TP.CORPNET.beta</Computer>
    <Security UserID="S-1-5-21-1469829728-1532128048-1498870291-1101" />
  </System>
  <EventData>
    <Data Name="param1">application-specific</Data>
    <Data Name="param2">Local</Data>
    <Data Name="param3">Activation</Data>
    <Data Name="param4">{61738644-F196-11D0-9953-00C04FD919C1}</Data>
    <Data Name="param5">{61738644-F196-11D0-9953-00C04FD919C1}</Data>
    <Data Name="param6">CORPNET</Data>
    <Data Name="param7">_SP_Farm</Data>
    <Data Name="param8">S-1-5-21-1469829728-1532128048-1498870291-1109</Data>
    <Data Name="param9">LocalHost (Using LRPC)</Data>
  </EventData>
</Event>

 

I found {61738644-F196-11D0-9953-00C04FD919C1} to be IISWAMREG as I suspected (no harm in verifying the ID in regedit!).

 

Next, I opened the Component Services Snap-In (StartRun > comexp.msc) and drilled down through Component Services > Computers > My Computer > DCOM Config > IIS WAMREG Admin Service ….

 

Only to find all options greyed out!!

 

image

 

At first I thought UAC was the culprit so I ran did the “right click >run as administrator” which made no difference…

 

Thinking it had to be a permissions issue I fired up my old friend Process Monitor (from Sysinternals: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) and found I didn’t have permission!

 

Date & Time:    29/10/2009 12:25:35
Event Class:    Registry
Operation:    RegOpenKey
Result:    ACCESS DENIED
Path:    HKCR\AppID\{61738644-F196-11D0-9953-00C04FD919C1}
TID:    748
Duration:    0.0000322
Desired Access:    Write, Query Value, Enumerate Sub Keys, Write DAC

 

So back to Regedit to inspect permissions…

 

Found that as an Administrator I didn’t have full control:

 

image

 

Granted CORPNET\Administrators full control, re-opened the MMC and was able to correct the permissions, to do this:

 

Open the Component Services Snap-In (StartRun > comexp.msc) and drill down through Component Services > Computers > My Computer > DCOM Config > IIS WAMREG Admin Service

 

Right click on IIS WAMREG Admin Service and on the Security tab click Edit in the Launch and Activation  Permissions section.

Grant the account referenced in the event log (mine is _SP_Farm) the following permissions:

 

Allow: Local Launch

Allow: Local Activation

 

image

 

All done ;)

 

You might as well grant the same rights to the accounts you’re going to use for running Service Apps at this point (or you’ll be back here in a few minutes anyway!).

 

EDIT:

 

As Tristan (http://tristanwatkins.com/) points out, if you do this for the WSS_WPG and WSS_ADMIN_WPG groups (local to each SP2010 server) rather than individual user accounts you will accommodate future changes. Thanks Tristan!

31 comments:

  1. Hi Matt,

    Thanks for posting this! One minor thing - I'd suggest granting the Launch and Activation permissions to the WSS_WPG and WSS_ADMIN_WPG local groups to save having to do this for any future changes.

    Cheers!

    Tristan

    ReplyDelete
  2. Tristan, that is a very valid point, have updated the post. Thanks for yout feedback!

    ReplyDelete
  3. Hi Matt,

    Just wanna make a little remark concerning this issue on Windows 7. You may have to take ownership of the registry key, with the machine "administrators" group for instance, before being able to change the permissions to full control.

    Anyway, thank you for the post. That helped !

    Cheers,
    Catalin

    ReplyDelete
  4. @catalin - that's useful info, I haven't tried running SP2010 on 7 yet, but will bear your comments in mind when I do.
    Thanks for the feedback!

    ReplyDelete
  5. Hi Matt, Good post. Although I am still having issues with greyed out boxes. I have ran Regedit as administrator, taken ownership and applied the Full Control permission for the administrators group for the IIS WAMREG CSLID reg entry. I then ran component services as administrator but the Security tab is still greyed out for the IIS WAMREG entry. This is also following a server restart. Any ideas?
    cheers, Steve

    ReplyDelete
  6. @alfiescott - are you logged on the server with an account that is a member of the "administrators" group? Did you check the CLSID is what you think it is? (search the registry for the CLSID referenced in the event log error and it will tell which component it relates to, it may not be IISWAMREG...
    Let me know how you get on.

    ReplyDelete
  7. Hi Matt, Yep I'm using my domain admin account for this although I have tried with the local admin and Enterprise admin account as well after it failed the first time. I have also checked the local security policy to ensure that there are no user account restrictions. I have tracked down the CLSID from the 10016 errors which identify: 61738644-F196-11D0-9953-00C04FD919C1 - IIS WAMREG. This is following a fresh install of MOSS2007 so it seems to be the exact issue above although for some reason the security tab in Component Services is still greyed out even after following the procedure to grant the administrators group full control in the registry. I cannot seem to find any forum or blog posts that refer to someone still having this issue afer changing the permissions.

    ReplyDelete
  8. I'm having the same problem. I can't even change the Permissions. Every time I try to edit or change the Permissions through regedit, I get:

    Unable to save permission changes ... Access is denied.

    ReplyDelete
  9. @alife and @gary - at the point that you make the registry permissions change does ProcessMonitor report anything for regedit.exe?

    ReplyDelete
  10. I fixed it. I had to make Administrators the owner with regedit. this enabled me to modify/save wamreg settings.

    Now if I could solve:

    SQL Database 'Application_Registry_Service_DB_397f49ae3d2742d7a81076eabe31724c' on SQL Server instance 'WEBSERVER\SharePoint' not found. Additional error information from SQL Server is included below.

    Cannot open database "Application_Registry_Service_DB_397f49ae3d2742d7a81076eabe31724c" requested by the login. The login failed.
    Login failed for user 'NT AUTHORITY\NETWORK SERVICE'

    I'm amazed that you can install Sharepoint and not have things setup so you can use it! Are there installation instructions that I'm not aware of?? It always seems that I have to do 3 weeks of research just to get Sharepoint working properly. I had similar issues with SP 3.0 on Server 2003.

    Do I need to give SQL 'NT AUTHORITY\NETWORK SERVICE' permission some where??

    ReplyDelete
  11. I had tried changing the owner in Regedit already but this did not resolve the issue. I have decided to start again from scratch including removing the Server Roles, IIS, Application Server etc. I will let you know how I get on this time round.

    ReplyDelete
  12. @gary - great to see you're making progress! Looks like NETWORK SERVICE is being used for a service account, is this a single server install or is SQL running on a different server or VM?

    ReplyDelete
  13. @alfie - please do let me know, are you re-installing the OS as part of your rebuild?

    ReplyDelete
  14. Hi Matt, I reinstalled the OS and started from scratch. When I installed the Application Server role this time around I also selected the "COM+ Network Access" additional feature and since re-installing SharePoint I have not had any errors at all in Event Viewer never mind the DCOM errors I was experiencing before. I'm not sure whether this was the reason or if I had managed to do something else differently during configuration. Many thanks for your help with this issue.

    ReplyDelete
  15. Matt,

    Thanks for all your help. This is a single server install. I'm still getting the same repetitive events:

    Warning:Crawl cannot be started because the content source Local SharePoint sites has no start addresses. Add at least one start address.

    Context: Application 'Search_Service_Application', Catalog 'Portal_Content'

    Plus the Critical error I listed above.

    I'll be taking a look at selecting "COM+ Network Access" feature suggested by alfie. Would like to hear your thoughts on it. Can this be edited without doing a reinstall?

    ReplyDelete
  16. Matt,

    I opened Server Manager, highlighted Aplication Server. COM+ Network Access is (was already) installed, The only additional roles for Application Server listed is Distributed Transactions, which I assume I shouldn't need in a single server environment,

    ReplyDelete
  17. Thanks for this fix. Worked for me! To alfiescott and others: are you sure you aren't change the permissions on HKCR\CLSID\... instead of the HKCR\AppID\...? The former does not fix the "greyed-out" issue, the latter does. (I know because I made that mistake!)

    ReplyDelete
  18. Or if the GUID in the error-message is same as the guid you are adapting? If yes, does it stand for the IIS WAMREG Admin Service or an other component? At my Wind 2008 R2 it was an other component....

    ReplyDelete
  19. You need to search the registry for the GUID of the component, it may not be IIWS WAMREG, the registry will tell you.

    ReplyDelete
  20. Nice info. thanks for sharing.
    zee
    walisystems.com

    ReplyDelete
  21. I too get this error. Very thanks to you. You have given the solution at the right time. Great work from you. Keep it up..

    http://godwinsblog.cdtech.in/2010/12/sharepoint-2010-root-of-certificate.html

    ReplyDelete
  22. Hi their,

    yup yup i also join the club with this nice error only i am a bit more unfortunate and feel like a donkey.

    Normaly I always make snap-shot from my VM's before i do exciting stuf but now for 2 weeks i'm asking the client on phone and mail for access to the machine and you guessed it, still no access.
    So what i do proceed in changing the registry and forgot about exporting it.

    The result is that now my Publishing Feature is not starting. if I deactivate everything is fine but as soon as i activate BAM corelation ID error's.

    I even reinstalled the binaries or tried to make a new web app with the publish feature same result. It doesn't give me a nice feeling when entering this Christmas weekend, hopefully one of you guys have a briliant idea.

    Maarten

    ReplyDelete
  23. Maarten, if you join another web server to the farm does it also suffer the errors?
    I'm just thinking that the registry issues will probably be limited to the single server and the actual content will be fine...

    ReplyDelete
  24. Have tried everything above but settings continue to be grayed out? I have rebooted the server and varified that the user account I am using has admin writes to the registry key. Not sure what to do from here?

    ReplyDelete
  25. Nevermind changed the HKCR\CLSID\... instead of the HKCR\AppID\ That fixed... Thank you!

    ReplyDelete
  26. Thank you very much Matt for this very good post that helped my to to break a deadlock.
    Joe.

    ReplyDelete
  27. Thanks, I could stop an annoying sharepiont error by this post

    ReplyDelete

Please feel free to comment on this post, I want to hear your feedback!