Event ID 10021 and event ID 10016 occur after a site reset or after an SMS 2003 service pack installation on a site server running on Windows Server 2003 Service Pack 1 or Windows Server 2003 Service Pack 2

Article translations Article translations
Article ID: 913119 - View products that this article applies to.
Expand all | Collapse all

Symptoms

Consider the following scenarios:
  • A Microsoft Systems Management Server (SMS) 2003 site server is installed on a computer that is running the release version of Microsoft Windows Server 2003. An SMS service pack may be installed. You upgrade the server to Windows Server 2003 with Service Pack 1 (SP1) or to Windows Server 2003 with Service Pack 2 (SP2).
  • An SMS 2003 site server is installed on a computer that is running Windows Server 2003 with SP1 or Windows Server 2003 with SP2. An SMS service pack may be installed. You upgrade the SMS site server by installing an SMS 2003 service pack.
  • An SMS 2003 site server is installed on a computer that is running Windows Server 2003 with SP1 or Windows Server 2003 with SP2. An SMS service pack may be installed. During maintenance or troubleshooting operations, you reset the SMS site server.
In each of these scenarios, the following error messages are logged when you try to initiate an action on a client computer from the site server.

Event message 1
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10021
Date: Date
Time: Time
User: N/A
Computer: SMS SERVER
Description:
The launch and activation security descriptor for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1}. is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.
Event message 2
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: SMSSERVER
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {05D1D5D8-18D1-4B83-85ED-A0F99D53C885} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

Resolution

To resolve this problem, follow these steps:
  1. Add the following local security accounts to the local DCOM Users group on the SMS site server or to the built-in DCOM Users group on a domain controller:
    • IWAM_servername
    • NETWORK SERVICE
    • SERVICE
    • SYSTEM
    • AUTHENTICATED USERS
    • INTERACTIVE
  2. Give the IUSR_server name account security permissions. To do this, follow these steps:
    1. Click Start, click Run, type dcomcnfg.exe, and then click OK.
    2. Expand Component Services, expand Computers, right-click My Computers, and then click Properties.
    3. On the Com Security tab, click Edit Limits under Launch and Activation Permissions
    4. Under Group or user names, click Add.
    5. Type IUSR_server name, click Check Names, and then click OK.
    6. Under Group or user names, click the IUSR_server name.
    7. Under Permissions for IUSR_server name, click to select Allow for the following permissions:
      • Local Launch
      • Remote Launch
      • Local Activation
      • Remote Activation
  3. Restart the site server.
  4. Click Start, Click Run, type services.msc, and then click OK.
  5. Under Services, right-click the following services, and then click Stop:
    • IIS Admin Service
    • World Wide Web Publishing Service
    • HTTP SSL
    • SMS Agent Host
    • SMS_EXECUTIVE
    • SMS_REPORTING_POINT
    • SMS_SITE_COMPONENT_MANAGER
    • SMS_SQL_MONITOR
  6. Click Start, click Run type cmd, and then click OK.
  7. At the command prompt, change the working directory to the \inetpub\adminscripts directory, type the following command, and then press ENTER:
    CSCRIPT SYNCIWAM.VBS -v
  8. Restart all the services that you stopped in step 5.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More information

If the reporting point is hosted on a system that is running Windows Server 2003 with SP1, make sure that the SMS Reporting Users group has access to the SMS_REPORTING_POINT COM+ object. To do this, follow these steps:
  1. On the site system, click Start, click Run, type Dcomcnfg.exe, and then click OK.
  2. Double-click Component Services, double-click Computers, double-click My Computer, and then double-click DCOM Config.
  3. Right-click SMS_REPORTING_POINT, and then click Properties.
  4. On the Security tab of the SMS Reporting Point Properties dialog box, click Edit in the Launch and Activation Permissions section.
  5. In the Launch and Activation Permissions dialog box, click to select Local Activation for the SMS Reporting Users group.
For more information about other issues that are related to DCOM permissions, click the following article numbers to view the articles in the Microsoft Knowledge Base:
903220 Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1
892500 Programs that use DCOM do not work correctly after you install Microsoft Windows Server 2003 Service Pack 1
909444 You may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC
SMS 2003 relies heavily on DCOM to perform its designated tasks. One component of the SMS 2003 installation process makes sure that the Windows Server 2003 DCOM security settings are set to their defaults. These settings let SMS 2003 work well on a computer that is running Windows Server 2003 with no Windows Server 2003 service pack installed. Windows Server 2003 SP1 introduced significant changes to DCOM security configuration. The default DCOM security configuration in Windows Server 2003 SP1 and in later service packs are too restrictive to allow full SMS 2003 functionality. Therefore, when you install a Windows Server 2003 service pack on an SMS 2003 site server that did not previously have a Windows Server 2003 service pack installed, DCOM security configuration incompatibilities are introduced. These incompatibilities require manual intervention and configuration to make sure that SMS continues to function.

The same DCOM security configuration tasks are performed whenever an SMS 2003 service pack is installed and whenever a site is reset. DCOM security configuration rolls back to the default Windows Server 2003 settings for the version of Windows Server 2003. If Windows Server 2003 includes a service pack, you must manually reconfigure DCOM security settings to guarantee full SMS 2003 functionality.

Properties

Article ID: 913119 - Last Review: June 20, 2014 - Revision: 8.0
Applies to
  • Microsoft Systems Management Server 2003
Keywords: 
kbsmssecurity kbdcom kbtshoot kberrmsg kbprb KB913119

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com