Event ID 10021 and event ID 10016 occur on a site server that has Systems Management Server 2003 Service Pack 1 installed after you upgrade to Windows Server 2003 Service Pack 1 (913119)


The information in this article applies to:

  • Microsoft Systems Management Server 2003 SP1, when used with:
    • Microsoft Windows Server 2003 SP1

SYMPTOMS

Consider the following scenario. You have a Microsoft Windows Server 2003-based site server that has Microsoft Systems Management Server (SMS) 2003 with Service Pack 1 (SP1) installed. You upgrade the site server to Windows Server 2003 with Service Pack 1 (SP1). In this scenario, the following Error events are logged when you try to initiate an action to a client computer from the site server.

Event message 1
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10021
Date: Date
Time: Time
User: N/A
Computer: SMS SERVER
Description:
The launch and activation security descriptor for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1}. is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.
Event message 2
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: SMSSERVER
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {05D1D5D8-18D1-4B83-85ED-A0F99D53C885} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

RESOLUTION

To resolve this problem, follow these steps:
  1. Add the following local security accounts to the local DCOM Users group on the SMS site server or to the built-in DCOM Users group on a domain controller:
    • IWAM_servername
    • NETWORK SERVICE
    • SERVICE
    • SYSTEM
    • AUTHENTICATED USERS
    • INTERACTIVE
  2. Give the IUSR_server name account security permissions. To do this, follow these steps:
    1. Click Start, click Run, type dcomcnfg.exe, and then click OK.
    2. Expand Component Services, expand Computers, right-click My Computers, and then click Properties.
    3. On the Com Security tab, click Edit Limits under Launch and Activation Permissions
    4. Under Group or user names, click Add.
    5. Type IUSR_server name, click Check Names, and then click OK.
    6. Under Group or user names, click the IUSR_server name.
    7. Under Permissions for IUSR_server name, click to select Allow for the following permissions:
      • Local Launch
      • Remote Launch
      • Local Activation
      • Remote Activation
  3. Restart the site server.
  4. Click Start, Click Run, type services.msc, and then click OK.
  5. Under Services, right-click the following services, and then click Stop:
    • IIS Admin Service
    • World Wide Web Publishing Service
    • HTTP SSL
    • SMS Agent Host
    • SMS_EXECUTIVE
    • SMS_REPORTING_POINT
    • SMS_SITE_COMPONENT_MANAGER
    • SMS_SQL_MONITOR
  6. Click Start, click Run type cmd, and then click OK.
  7. At the command prompt, change the working directory to the \inetpub\adminscripts directory, type CSCRIPT SYNCIWAM.VBS -V, and then press ENTER.
  8. Restart all the services that you stopped in step 5.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

If the reporting point is hosted on a system that is running Windows Server 2003 with SP1, make sure that the SMS Reporting Users group has access to the SMS_REPORTING_POINT COM+ object. To do this, follow these steps:
  1. On the site system, click Start, click Run, type Dcomcnfg.exe, and then click OK.
  2. Double-click Component Services, double-click Computers, double-click My Computer, and then double-click DCOM Config.
  3. Right-click SMS_REPORTING_POINT, and then click Properties.
  4. On the Security tab of the SMS Reporting Point Properties dialog box, click Edit in the Launch and Activation Permissions section.
  5. In the Launch and Activation Permissions dialog box, click to select Local Activation for the SMS Reporting Users group.
For more information about other issues related to DCOM permissions, click the following article numbers to view the articles in the Microsoft Knowledge Base:

903220 Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1

892500 Programs that use DCOM do not work correctly after you install Microsoft Windows Server 2003 Service Pack 1

909444 Systems that have changed the default Access Control List permissions on the %windir%\registration directory may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC

Modification Type:MajorLast Reviewed:6/23/2006
Keywords:kbSMSSecurity kbDCOM kbtshoot kberrmsg kbprb KB913119 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.