cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

DCOM Permission Errors - Event ID 10016 or 10015 - When restarting EV Admin service

fsalas
Level 3

‎01-15-2008 05:37 PM

Hello Folks,

I am new to this forum, but not new to Enterprise Vault.  I am not sure if this is the correct place to place this question/request.  If it isn’t, I apologize in advance.

 

My goal is to get the assistance from the EV Product Team.  I would like to see this escalated so it gets resolved.  I have already gone through support and it appears they can’t do anymore as only EV Engineers can fix it.

 

Problem Definition

===============

Symptom:  DCOM 10016 or 10015 Errors observed in Windows Event log.

Symptom:  All errors point to the EV service account or EV processes not having sufficient DCOM permissions assigned.

Fact:         Enterprise Vault Admin service resets DCOM permissions every time it is restarted.

Fact:         Errors do not appear to “break” overall EV functionality.

Fact:         Feedback from Tech Support is that this is “known issue” by the EV Engineering Group.

Fact:         Due to perceived “low impact” (i.e. server not down) issue has not gained attention to become an escalation.

Fact:         Customer’s confidence in the product going into a production environment is affected.

Fact:         There are many customers out there having this issue (as per Support’s feedback & what I see in the Discussion groups).

Action:      Replicated issue on three different environments with various EV versions.

Action:      Used “SkipChecks” (EV 7) and “DoNotChangeAnonymousPermissions” Registry Keys (EV 5 & 6) but NO effect. 

Action:      Researched DCOM permission changes made by Microsoft in Windows 2003 SP1 and higher.

Action:      Month-old Symantec Technical Support case open with no results or resolution (since December 11th, 2007)

Action:      Followed all Symantec’s technotes outlining steps/suggestions to correct DCOM permission.   For example:

                 http://seer.entsupport.symantec.com/docs/279588.htm

                 http://seer.entsupport.symantec.com/docs/284386.htm

 

Environment:

==========

Windows 2003 Enterprise SP1 and SP2

Enterprise Vault 7.0 SP1,

Enterprise Vault 2007 SP1, 2007 SP2

 

Errors in Event log:

==============

Event Type: Error Event Source: DCOM Event Category: None Event ID: 10016 Date: 12/15/2007 Time: 9:45:00 AM User: DOMAIN\EVSA_ACCOUNT Computer: ENTERPRISE_VAULT_SERVER Description: The application-specific permission settings do not grant Remote Launch permission

for the COM Server application with CLSID {562FF725-C308-11D1-93DA-0000F87A3C75}

to the user DOMAIN\ EVSA_ACCOUNT  SID (S-1-5-21-2076772084-1888234209-63777028-948613).

This security permission can be modified using the Component Services administrative tool.

 

To replicate the problem:

===================

1.       Follow any of the Symantec technotes and assign suitable DCOM permissions to the EV account and EV processes as required.

2.       Restart EV admin service

3.       Check DCOM permissions that were just set.  They will be gone!

 

Current Status:

============

My colleagues and I have been troubleshooting and replicating this issue for the past month and followed Symantec technotes and/or suggestions provided by EV Technical Support.  The technotes or suggestions are really useless because the Enterprise Vault Admin service wipes and resets the DCOM permissions when it is restarted.  Due to the low severity of the support case (server is not down) and the fact that the issue has not been considered an actual problem to resolve; there has been no action or feedback indicating issue will be addressed.  It is unknown when this will get corrected.

 

Comments:

=========

Our understanding is that Microsoft did in fact tighten DCOM access by removing the Anonymous account from the “Everyone” group, so as to move away from allowing Anonymous Logon access for security reasons:

http://technet2.microsoft.com/windowsserver/en/library/4c9a2873-2010-4dbb-b9dd-6a7d1e275f0f1033.mspx...

 

Microsoft’s suggestions to correct any of these DCOM permission errors indicate that you can:

- Add the account used by that program to the new group called “Distributed DCOM users” …or…

- Give the account or process that is identified by the error the necessary DCOM permissions.

*** However, due to the EV admin service resetting them, this would seem to be impossible to make stick for any length of time. 

 

In our research to understand the problem, we saw that these errors are a common problem for a lot of other applications that rely on DCOM.  In all the resolutions, they advise to set the DCOM permission manually for the account/process involved and the problem disappears.

 

I am confused why Symantec appears to be relying on still giving the Anonymous account the same DCOM permissions when Microsoft has moved away from this for security reasons.  Our customers wonder why the Anonymous account is needed when a special dedicated account (EVSA) is being used to run the services and processes for EV to function. 

 

Questions:

========

o        Shouldn’t the EVSA account be given the appropriate DCOM permissions instead? 

o        Why is DCOM permissions hard coded into the service? 

o        Should we not have a choice between running a script (once!) and then do DCOM permission individually without losing them?

o        Why are the registry keys specifically created to bypass the “checking/setting” of the DCOM permissions (“SkipChecks” for EV 7 & DoNotChangeAnonymousPermissions” for EV 5 & 6) NOT working?

o        Why is the focus on the Anonymous account, when these errors are being flagged as attributed to the EVSA account and EV processes?

o        Shouldn’t the DCOM permissions be set up correctly for the EVSA at minimum?

 

 

Please help!  Thanks in advance!

 

 

Francisco.

0 Kudos
29 REPLIES 29

philloss
Level 4

‎06-26-2008 01:22 AM

Hi there,

I have recently installed EV 2007 with Sp3 and am getting the same errors. Have Symantec managed to fix this issue yet?

Many thanks.


0 Kudos

Kopfjager
Level 5
Employee Certified

‎06-26-2008 04:25 AM

Hi,
     As Dodo said a couple posts back, it is slated to be fixed in 2007 SP4.   That should be out the end of this summer roughly.
 
Paul
0 Kudos

Popolou
Level 4

‎06-26-2008 04:55 AM

Regarding SP4, has Symantec produced a list of fixes they plan to release with this service pack?

Thanks

Pop
0 Kudos

Michael_Bilsbor
Level 6
Accredited

‎06-26-2008 04:09 PM

Hi,
 
No, there is no list yet as we're still working on it.  We generally develop the release notes towards the end of the service pack rather than as we go along.  Also if we did publish this information but then had to pull a fix for some reason there would be a lot of confusion.
0 Kudos

philloss
Level 4

‎06-26-2008 05:54 PM

Great thanks for that.
0 Kudos

rw
Level 3

‎09-17-2008 09:42 AM

Any update on when SP4 will be released?
0 Kudos

Kopfjager
Level 5
Employee Certified

‎09-17-2008 11:25 AM

SP4 tentatively is scheduled for mid to late next week.   It will include a fix for this issue.

 

 

0 Kudos

rw
Level 3

‎10-16-2008 01:43 PM

Paul, Where can someone find SP4? Thanks,
0 Kudos

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

‎10-16-2008 04:18 PM

Here: https://forums.symantec.com/syment/blog/article?message.uid=354038
0 Kudos

rw
Level 3

‎10-20-2008 07:34 AM

Thanks Andrew!

0 Kudos