Microsoft KB Archive/913119

= Event ID 10021 and event ID 10016 occur after a site reset or after an SMS 2003 service pack installation on a site server running on Windows Server 2003 Service Pack 1 or Windows Server 2003 Service Pack 2 =

Article ID: 913119

Article Last Modified on 6/7/2007

-

APPLIES TO


 * Microsoft Systems Management Server 2003

-



SYMPTOMS
Consider the following scenarios:
 * A Microsoft Systems Management Server (SMS) 2003 site server is installed on a computer that is running the release version of Microsoft Windows Server 2003. An SMS service pack may be installed. You upgrade the server to Windows Server 2003 with Service Pack 1 (SP1) or to Windows Server 2003 with Service Pack 2 (SP2).
 * An SMS 2003 site server is installed on a computer that is running Windows Server 2003 with SP1 or Windows Server 2003 with SP2. An SMS service pack may be installed. You upgrade the SMS site server by installing an SMS 2003 service pack.
 * An SMS 2003 site server is installed on a computer that is running Windows Server 2003 with SP1 or Windows Server 2003 with SP2. An SMS service pack may be installed. During maintenance or troubleshooting operations, you reset the SMS site server.

In each of these scenarios, the following error messages are logged when you try to initiate an action on a client computer from the site server.

Event message 1

Event Type: Error

Event Source: DCOM

Event Category: None

Event ID: 10021

Date:

Time:

User: N/A

Computer:

Description:

The launch and activation security descriptor for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1}. is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Event message 2

Event Type: Error

Event Source: DCOM

Event Category: None

Event ID: 10016

Date:

Time:

User: NT AUTHORITY\SYSTEM

Computer:

Description:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {05D1D5D8-18D1-4B83-85ED-A0F99D53C885} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.



RESOLUTION
To resolve this problem, follow these steps:  Add the following local security accounts to the local DCOM Users group on the SMS site server or to the built-in DCOM Users group on a domain controller:  IWAM_  NETWORK SERVICE SERVICE SYSTEM AUTHENTICATED USERS INTERACTIVE</li></ul> </li> Give the IUSR_ account security permissions. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type dcomcnfg.exe, and then click OK.</li> Expand Component Services, expand Computers, right-click My Computers, and then click Properties.</li> On the Com Security tab, click Edit Limits under Launch and Activation Permissions</li> Under Group or user names, click Add.</li> Type IUSR_, click Check Names, and then click OK.</li> Under Group or user names, click the IUSR_ .</li> Under Permissions for IUSR_ , click to select Allow for the following permissions: <ul> Local Launch</li> Remote Launch</li> Local Activation</li> Remote Activation</li></ul> </li></ol> </li> Restart the site server.</li> Click Start, Click Run, type services.msc, and then click OK.</li> Under Services, right-click the following services, and then click Stop: <ul> IIS Admin Service</li> <li>World Wide Web Publishing Service</li> <li>HTTP SSL</li> <li>SMS Agent Host</li> <li>SMS_EXECUTIVE</li> <li>SMS_REPORTING_POINT</li> <li>SMS_SITE_COMPONENT_MANAGER</li> <li>SMS_SQL_MONITOR</li></ul> </li> <li>Click Start, click Run type cmd, and then click OK.</li> <li>At the command prompt, change the working directory to the \inetpub\adminscripts directory, type the following command, and then press ENTER:

CSCRIPT SYNCIWAM.VBS -v

</li> <li>Restart all the services that you stopped in step 5.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
If the reporting point is hosted on a system that is running Windows Server 2003 with SP1, make sure that the SMS Reporting Users group has access to the SMS_REPORTING_POINT COM+ object. To do this, follow these steps:
 * 1) On the site system, click Start, click Run, type Dcomcnfg.exe, and then click OK.
 * 2) Double-click Component Services, double-click Computers, double-click My Computer, and then double-click DCOM Config.
 * 3) Right-click SMS_REPORTING_POINT, and then click Properties.
 * 4) On the Security tab of the SMS Reporting Point Properties dialog box, click Edit in the Launch and Activation Permissions section.
 * 5) In the Launch and Activation Permissions dialog box, click to select Local Activation for the SMS Reporting Users group.

For more information about other issues that are related to DCOM permissions, click the following article numbers to view the articles in the Microsoft Knowledge Base:

903220 Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1

892500 Programs that use DCOM do not work correctly after you install Microsoft Windows Server 2003 Service Pack 1

909444 Systems that have changed the default Access Control List permissions on the %windir%\registration directory may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC

SMS 2003 relies heavily on DCOM to perform its designated tasks. One component of the SMS 2003 installation process makes sure that the Windows Server 2003 DCOM security settings are set to their defaults. These settings let SMS 2003 work well on a computer that is running Windows Server 2003 with no Windows Server 2003 service pack installed. Windows Server 2003 SP1 introduced significant changes to DCOM security configuration. The default DCOM security configuration in Windows Server 2003 SP1 and in later service packs are too restrictive to allow full SMS 2003 functionality. Therefore, when you install a Windows Server 2003 service pack on an SMS 2003 site server that did not previously have a Windows Server 2003 service pack installed, DCOM security configuration incompatibilities are introduced. These incompatibilities require manual intervention and configuration to make sure that SMS continues to function.

The same DCOM security configuration tasks are performed whenever an SMS 2003 service pack is installed and whenever a site is reset. DCOM security configuration rolls back to the default Windows Server 2003 settings for the version of Windows Server 2003. If Windows Server 2003 includes a service pack, you must manually reconfigure DCOM security settings to guarantee full SMS 2003 functionality.

Additional query words: COM Security IWAM IUSR IDENTITY LAUNCH ACTIVATION PERMISSIONS

Keywords: kbsmssecurity kbdcom kbtshoot kberrmsg kbprb KB913119

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.