Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

DCOM 10009 errors on SBS2008 with NAS

88 views
Skip to first unread message

mlai

unread,
Nov 20, 2008, 12:11:01 AM11/20/08
to
I have just migrated from SBS2003 to SBS2008. Everything looks ok. Except
the two NAS (Synology DS207+) that I have on the network. Actually, even
they work fine with the upgraded SBS2008 Domain. However, on the SBS2008
box, I get a cluster of DCOM10009 errors every 30 mins or so pointing to
communication issues with the 2 NAS boxes. However, other operations
(authentications from the NAS) are fine and the users can use the domain
credentials on the boxes.

So, what can I do to resolve the DCOM 10009 errors on the SBS2008 machine?

Susan Bradley

unread,
Nov 20, 2008, 1:18:45 AM11/20/08
to
DCOM Event 10009
Problem: The DCOM event id 10009 will occur when a client workstation
has a miss-configured firewall or other issues affecting its network
communications within the domain, for example if the workstation is not
managed by an SBS GPO. In this scenario, the DCOM event 10009 will
happen repeatedly, potentially hundreds per day.
Resolution: To attempt to resolve configuration issues with the firewall
try the following:

· Make sure to allow remote management exception. Depending on your
firewall solution this might be implemented or might require opening
several ports. Unfortunately, this means opening common ports like
TCP/135, TCP/139 but also a range of dynamic ports that cannot easily be
defined and start at 1025, check with your firewall manufacturer for
proper ways of allowing dynamic RPC traffic.
· If using OneCare on the SBS client machines, make sure you are using
the Small Business version of Windows Live OneCare. The Small Business
version has a default set of firewall port exceptions as required by SBS
to monitor the client workstations.
· If the workstation is on a different subnet than the SBS server and it
is running Windows XP SP2 or higher, the firewall exceptions provided by
the SBS group policies will not properly allow the required
connectivity. You should edit the Client XP GPO and change the scope of
the rules to allow subnet + the internal IP of the server. Follow the
extra steps below to properly monitor XP SP2 (or higher) machines
running in the SBS domain on different subnets than the SBS server, and
prevent the DCOM 10009 errors if that is the case.

1. Open GPMC.MSC from Start-Run
2. Accept the UAC prompt
3. Expand Forest: Domain.local, Domains, Domain.local and select Group
Policy Objects. (Replace Domain.local with your domain)
4. Select the Windows SBS Client – Windows XP Policy and then use right
click on your mouse and select edit
5. Expand Computer Configuration, Policies, Administrative Templates,
Network, Network Connections, Windows Firewall, Domain Profile
6. Find the IP Address of the server: Open a command prompt window
(cmd.exe) from the Start menu. In the command prompt window type
IPConfig and press return. Make note of the IPv4 address listed.
7. Double click on: Windows Firewall: “Allow inbound file and printer
sharing exception”
a. in the text box labeled “Allow unsolicited incoming messages from
these IP addresses”, add the IP (IPv4) of the server, so if the IP of
the server is 192.168.1.2, it would end up reading: localsubnet,192.168.1.2
b. Click Ok
8. Repeat Steps 6.a and 6.b for the following rules:
Windows Firewall: Allow inbound remote administration exception
Windows Firewall: Allow inbound remote desktop exceptions

http://blogs.technet.com/sbs/archive/2008/08/26/known-post-installation-event-errors-in-sbs-2008-and-how-to-resolve-them.aspx

mlai

unread,
Nov 20, 2008, 3:06:01 AM11/20/08
to
Yes I have already read thru that but that pertains to Windows based clients
only and not SAMBA clients, which a lot of NAS are based. Besides, there
were no DCOM 10009 errors on the old SBS2003 machine......

Susan Bradley

unread,
Nov 20, 2008, 10:11:34 AM11/20/08
to
And this is SBS 2008 where the firewall is different.

It's the same issue per my read.

mlai

unread,
Nov 21, 2008, 7:49:00 PM11/21/08
to
Yes. As I mentioned, this will work on a windows based machine but not samba
based NAS.....

Susan Bradley

unread,
Nov 21, 2008, 8:32:21 PM11/21/08
to
Try this, make a specific GP rule that allows the ports to that NAS unit.

SAMBA is still file and printer sharing.

mlai

unread,
Nov 22, 2008, 9:56:01 AM11/22/08
to
Susan,
This really doesn't make sense to me. The article is talking about openning
ports on the client machines (and applying GP) to allow remote management.
For one thing, there is no firewall on the NAS to begin with. Second, the
NAS is not running windows and thus will not be able to process remote
management requests anyway.

What difference will this make?

Susan Bradley

unread,
Nov 25, 2008, 3:12:05 AM11/25/08
to
That SBS box now has a firewall that you can't disable. A specific
route needs to be built between that NAS and the SBS box.

1. fire up a sniffer and see exactly what traffic is going between the
NAS and the server.

2. Build a firewall rule to match the traffic that is going between the
two.

mlai

unread,
Dec 11, 2008, 9:39:00 PM12/11/08
to
I have created a rule on the server to allow all outgoing and incoming ports
to/from the NAS IP. And the error still happens.

The fix seems to be marking the computer account for the NAS as an NT4
computer. I have deleted the NAS computer acount from the AD. Recreated the
computer account but this time, marking the computer as Pre-Windows 2000
computer. Seems that the DS207+ still operates fine with AD logons and no
more DCOM 10009 errors since the change in the event log of the SBS2008
machine.

Susan Bradley

unread,
Dec 11, 2008, 10:37:10 PM12/11/08
to
As a test did you merely move the unit out of the SBSComputers OU?

mlai

unread,
Dec 11, 2008, 10:46:03 PM12/11/08
to
The NAS OU was NEVER in SBSComputers to begin with.

Susan Bradley

unread,
Dec 12, 2008, 5:59:36 PM12/12/08
to
Let me rephrase,Was that OU under the MyBusiness\Computers OU?
0 new messages