cancel
Showing results for 
Search instead for 
Did you mean: 

DCOM permissions for Index Task

dallandra
Level 2

Hi, first i'd like to say i've taken a look at the existing thread: https://www.veritas.com/community/forums/enterprise-vault-1003-issues-related-dcom and tried the suggestions there but they have not solved my issue. I've also engaged Veritas support via numerous webex sessions and ultimately they've deemed it a Microsoft issue and not a EV issue (which is fair enough as when we set the DCOM permissions manually and run the Index Task via EV Admin Console it works).

Environment: Win 2008 R2 SP1 EV Build: 10.0.4.1354_CHF3

Issue: Windows System Event Log: The application-specific permission settings do not grant Remote Launch permission for the COM Server application with CLSID {F4D3EB5B-C7C5-11D1-90DB-0000F879BE6A} and APPID {95DCB63F-C982-11D1-90E0-0000F879BE6A} to the user NT AUTHORITY\ANONYMOUS LOGON SID (S-1-5-7) from address 10.61.1.14.

This security permission can be modified using the Component Services administrative tool.

These errors appear for the EV DCOM processes: Enterprise Vault Task Controller Service & EnterpriseVault.StorageCrawler Again, when we edit the security for these processes to add ANONYMOUS LOGIN to have full launch and activation permissions, the Index Task can be manually ran. However, when we reboot the server the permissions we set manually have been removed.

Attempted Fixes:

1. Component Services > My Computer > Properties > COM Security > Edit Default > added ANONYMOUS USERS with full permissions (these settings are retained even after reboot)

2. Added Local Security Policy > Local Policy > Security Options > edit DCOM: Machine Access Restrictions & DCOM: Machine Launch Restrictions, to have ANONYMOUS USERS with full permissions (these settings are retained even after reboot; although i read in an MS technote that Local Security policies are overridden by Domain Group Policies if there are matching settings in both)

3. (because of 2.) we specifically added a Domain Group Policy for the same settings as '2' and confirmed (via GPRESULT /R) that this is the only Domain Group Policy that defines those two DCOM settings.

4. Added NT AUTHORITY\ANONYMOUS USERS to Local Users and Groups > Groups > Users

5. Re-applied the Vault Service Account logon credentials via VAC > Directory > Properties > Service Account any advice would be very welcomed! thanks

0 REPLIES 0