DCOM Fun with SharePoint

One thing you will first notice in planning a MOSS install is the sheer number of service accounts used. Without proper planning, it is only going to result in a poor set up and most likely be insecure. Despite the complexity of having to learn what each service account is required for, MOSS2007 does a reasonable job in working in a restricted configuration. Properly configured, the majority of these accounts can run with minimal security privileges.

If you follow all the best practice guides, and religiously read Joel’s stuff, I would be preaching to the converted.

Anyhoo, there were some side effects with all of this which, when last I did it, were not in the official guides. Nothing major, but some annoying DCOM errors in the eventlogs. I didn’t even spend too much time working out which activity was causing them, but simply granted the minimal permissions required.

The config here was 2 WFE servers (intranet/extranet), one index/query server and 1 SQL cluster

All Web Front End Servers:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
User:
Computer: WEBSERVER1

Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user l SID (S-1-5-21-573225893-205518295-00000000000-00000). This security permission can be modified using the Component Services administrative tool.

Remedy:

• Search the GUID in HKCR registry…
• 61738644-F196-11D0-9953-00C04FD919C1
• The service name for this key is “IIS WAMREG Admin Service”
• Load DCOMCNFG, browse to My Computer -> ” DCOM Config”
• Go to the properties of IIS WAMREG
• The permission missing was “Local Activation” permissions for the user .
  

DATABASE SERVERS

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
User:
Computer: SQLCLUSTER1

Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {ABF05265-635E-44B0-A28F-AEA45247ACA0} to the user SID (S-1-5-21-573225893-205518295-3307690801-69150). This security permission can be modified using the Component Services administrative tool.

This event seems to occur at: 12:00AM, 6:00AM, 12:00PM and 8:00PM.

Note: This error will be related to a SharePoint timer job of some description, and thus, we need more permission that just the base SQL Server roles that were set up originally.

Remedy

• The application for this CLSID is called “Microsoft.SqlServer.Dts.Server.DtsServer” in the registry.
  
• Launch DCOMCNFG on SQL02 and SQL03. The DCOM name is MSDTSServer
  
• Under security, choose to Edit “Launch and Activation Permissions”
  
• Add the user to have local launch permissions
  

EXTRANET WFE Server

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
User:
Computer: EXTRANET1

Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user SID (S-1-5-21-573225893-205518295-0000000000-00000). This security permission can be modified using the Component Services administrative tool.

Remedy:

• Search the GUID in HKCR registry..
  
• 61738644-F196-11D0-9953-00C04FD919C1
  
• The service name for this key is IIS WAMREG Admin Service
  
• Load DCOMCNFG, browse to My Computer -> ” DCOM Config”
  
• Go to the properties of IIS WAMREG
  
• The permission missing was “Local Activation” permissions for the user .
  

QUERY/INDEX SERVER

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
User:
Computer: INDEX01

Description:The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user SID (S-1-5-21-573225893-205518295-3307690801-00000). This security permission can be modified using the Component Services administrative tool.

Remedy:

• Search the GUID in HKCR registry..
  
• 61738644-F196-11D0-9953-00C04FD919C1
  
• The service name for this key is IIS WAMREG Admin Service
  
• Load DCOMCNFG, browse to My Computer -> ” DCOM Config”
  
• Go to the properties of IIS WAMREG
  
• The permission missing was “Local Activation” permissions for the user .