Friday, April 25, 2008

DCOM Fun

Ok, checking the windows eventlog is not one of my favorite things to do, but sometimes 'I'm feeling lucky' and start digging in the pile of shit called the eventlog.
On almost every server I find the DCOM error. Here is a nice soluton:

DCOM Fun with SharePoint

Tags: Security, SharePoint, Troubleshooting @ 4:29 am
One thing you will first notice in planning a MOSS install is the sheer number of service accounts used. Without proper planning, it is only going to result in a poor set up and most likely be insecure. Despite the complexity of having to learn what each service account is required for, MOSS2007 does a reasonable job in working in a restricted configuration. Properly configured, the majority of these accounts can run with minimal security privileges.
If you follow all the best practice guides, and religiously read Joel’s stuff, I would be preaching to the converted.
Anyhoo, there were some side effects with all of this which, when last I did it, were not in the official guides. Nothing major, but some annoying DCOM errors in the eventlogs. I didn’t even spend too much time working out which activity was causing them, but simply granted the minimal permissions required.
The config here was 2 WFE servers (intranet/extranet), one index/query server and 1 SQL cluster

All Web Front End Servers:
Event Type: ErrorEvent Source: DCOMEvent Category: NoneEvent ID: 10016User:Computer: WEBSERVER1
Description:The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user l SID (S-1-5-21-573225893-205518295-00000000000-00000). This security permission can be modified using the Component Services administrative tool.

Remedy:
Search the GUID in HKCR registry…
61738644-F196-11D0-9953-00C04FD919C1
The service name for this key is “IIS WAMREG Admin Service”
Load DCOMCNFG, browse to My Computer -> ” DCOM Config”
Go to the properties of IIS WAMREG
The permission missing was “Local Activation” permissions for the user .

DATABASE SERVERS
Event Type: ErrorEvent Source: DCOMEvent Category: NoneEvent ID: 10016User:Computer:
SQLCLUSTER1
Description:The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {ABF05265-635E-44B0-A28F-AEA45247ACA0} to the user SID (S-1-5-21-573225893-205518295-3307690801-69150). This security permission can be modified using the Component Services administrative tool.

This event seems to occur at: 12:00AM, 6:00AM, 12:00PM and 8:00PM.
Note: This error will be related to a SharePoint timer job of some description, and thus, we need more permission that just the base SQL Server roles that were set up originally.
Remedy
The application for this CLSID is called “Microsoft.SqlServer.Dts.Server.DtsServer” in the registry.
Launch DCOMCNFG on SQL02 and SQL03. The DCOM name is MSDTSServer
Under security, choose to Edit “Launch and Activation Permissions”
Add the user to have local launch permissions

EXTRANET WFE Server
Event Type: ErrorEvent Source: DCOMEvent Category: NoneEvent ID: 10016User:Computer: EXTRANET1
Description:The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user SID (S-1-5-21-573225893-205518295-0000000000-00000). This security permission can be modified using the Component Services administrative tool.

Remedy:
Search the GUID in HKCR registry..
61738644-F196-11D0-9953-00C04FD919C1
The service name for this key is IIS WAMREG Admin Service
Load DCOMCNFG, browse to My Computer -> ” DCOM Config”
Go to the properties of IIS WAMREG
The permission missing was “Local Activation” permissions for the user .

QUERY/INDEX SERVER
Event Type: ErrorEvent Source: DCOMEvent Category: NoneEvent ID: 10016User:Computer: INDEX01
Description:The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user SID (S-1-5-21-573225893-205518295-3307690801-00000). This security permission can be modified using the Component Services administrative tool.

Remedy:
Search the GUID in HKCR registry..
61738644-F196-11D0-9953-00C04FD919C1
The service name for this key is IIS WAMREG Admin Service
Load DCOMCNFG, browse to My Computer -> ” DCOM Config”
Go to the properties of IIS WAMREG
The permission missing was “Local Activation” permissions for the user .