Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 10004 Source: DCOM

Source
Level
Description
DCOM got error <error description> and was unable to logon .\IWAM_CORPDOM in order to run the server: {<component GUID>}
Comments
 
We encountered this error when the IWAM_machine account went out-of-sync, usually after a server reboot. This can be fixed by running the Synciwam.vbs from \Inetpub\AdminScripts directory.

Error: "Overlapped I/O operation is in progress." - for a generic description of this error see the link to Error code 997.

Error: Logon failure: unknown user name or bad password, GUID: 3D14228D-FBE1-11D0-995D-00C04FD919C1 (Conferencing Server) - This behavior occurs because the Windows 2000 Component Services and Microsoft Internet Information Services (IIS) 5.0 processes are not synchronized. The IWAM_machine account may be out-of-synchronization with the metabase, Active Directory, and COM+. See ME269001 for resolution.

Error: Logon failure: unknown user name or bad password, GUID: 1FD7A201-0823-479C-9A4B-2C6128585168 - To resolve this problem, give the domain account the Log on as a batch job privilege in the Group Policy Object in the Domain Controller. See ME312497.

Error: Logon failure: account currently disabled.", GUID: 3D14228D-FBE1-11D0-995D-00C04FD919C1 - The IUSR_computer and IWAM_computer accounts must be turned on for IIS to function correctly. See ME321448.

Error: "Logon failure: the user has not been granted the requested logon type at this computer.", GUID: 3D14228D-FBE1-11D0-995D-00C04FD919C1 - This behavior can occur if the IWAM_MACHINENAME and IUSR_MACHINENAME user accounts do not have "Logon as a batch job" rights. See ME297519.
This DCOM error also occured after a Cisco Unity 7.02 Upgrade. While accessing the Unity SA, some of the pages that require the message store service to authenticate such as ''Messages'', ''Alternate Extensions'' and ''Integrations'' would give the HTTP 500.100 error and generate a DCOM error 10004 in the event logs.

The fix:
1) Run Start > Programs > Administrative Tools > Component Services
2) Drill down to Component Services > Computers > My Computer > COM+ Applications
3) Right-Click on ''Cisco Unity'' and choose Properties
4) Select the ''Identity'' tab and verify the username/password for the account that is used to run the message store service. (unitymsgstore by default)
5) Press the OK button and test.

The ''Identity'' tab will not allow you to enter an invalid account/password so you cannot make a mistake that way but the account/password you attempt to use must be in the Active Directory.
- Error: “Logon failure: unknown user name or bad password", GUID: {B2B30542-D976-11D3-B188-0040056AC398} - I had this error pop up every few seconds. This was caused by the BDmTk DCOM containing the wrong password for the administrator account.
I discovered this by searching the registry for "{B2B30542-D976-11D3-B188-0040056AC398}" then going into "Component Services" under Administrative tools. Drill down through Component Services -> Computers -> My Computer -> DCOM Config. Find the name of the program in question (in my case BDmTk). Right click, select Properties, and on the Identity tab, correct the permissions.
In my case, it was McAfee Groupshield "Junk Folder" credentials causing my issues. To resolve this issue, read McAfee Document ID KB46675. Go to the “McAfee Knowledge Search” page and search for the document to read it.
- Error description: "Logon failure: unknown user name or bad password" - This error started happening every one to two seconds on our server (SBS2003 Standard) right after the administrator password was updated/changed. I found a service in the services list that was using the Administrator account to run {this was a newly installed service that had to do with our scanning software database). I updated the "logon" tab of this service with the new administrator password and resolved the issue. It was also found on another server that running the Synciwam.vbs file from the inetpub/adminscripts directory resolved this issue.


- Error description: "The operation completed successfully" - See ME332092 and "Citrix Support Document ID: CTX111312".
- Error description: "Logon failure: the user has not been granted the requested logon type at this computer" - See ME189158 and ME318849.
- Error description: "Logon failure: unknown user name or bad password" - See ME259615 and ME298119.
- Error description: "Overlapped I/O operation is in progress" - See "Sophos Support Article ID: 1718".

This issue may occur if the permissions are not correctly configured for the IWAM_ComputerName account or the IUSR_ComputerName account. See ME822699 and MSW2KDB for more details.
- Error description: "The operation completed successfully" - See ME922333.
- Error description: "Logon failure: unknown user name or bad password" - See the link to "FAQShop Article" for a possible solution to this problem.
- Error description: "Logon failure: user account restriction" - Check if the account password expired. If so, changing it to never expire may solve you problem. See the link to "Computing.Net Forum Post" for another possible solution.
- Description: “The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {0C0A3666-30C9-11D0-8F20-00805F2CD064} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool” - Use Regedit to search for the CLSID named in the description to obtain the name of the application. The description of the CLSID appears in the Windows Registry under the HKEY_CLASSES_ROOT hive, e.g.:

HKEY_CLASSES_ROOT\CLSID\{0C0A3666-30C9-11D0-8F20-00805F2CD064}
(Default) Machine Debug Manager

In one case, this was due to incorrect permissions for the NETWORK SERVICE account in the DCOM configuration.

For Windows 2003/XP, go to Start -> Settings -> Control Panel -> Administrative Tools -> Component Services. Navigate to Computers -> My Computer -> DCOM Config. Click View on the title bar and click Detail. Scroll down to the entry for the program (name from the registry), alternate-click it and click Properties.

For Windows 2000, go to Start -> Run, enter DCOMCNFG and follow a similar procedure.

Click the Security tab. Click the "Launch and Activation Permissions" Edit button. Add the NETWORK SERVICE account and give it full permissions. Click OK. Repeat this procedure for the "Access Permissions" and "Configuration permissions" Edit buttons. Click OK to close the Properties page. Close all related Windows. This event ID should now stop appearing.
We ran into this problem when we replaced the hardware of an Exchange server (with demoting the existing, backup/restore to the new and promoting it back to a domain controller) without transferring the local user accounts. See ME269001 for diagnosis and ME269367 for information on how to fix the problem.
- Error: "Overlapped I/O operation is in progress" - I solved this by running “C:\inetpub\adminiscripts\synciwam.vbs” from a command prompt.
We received: “DCOM got error "Overlapped I/O operation is in progress” and was unable to logon <domain>\<dcomuser> in order to run the server: {GUID}”. The DCs were located in a sub OU under the Domain Controllers OU. The Domain controller OU had the Default Domain Controllers policy configured to allow the <dcomuser> to logon as a batch job. The customer had created a new policy on the sub level OU containing the DCs to allow another user to logon as batch job. This overwrote the high-level OU policy setting, resulting in the <dcomuser> not having rights to run.
This error disappeared once I excluded “C:\EXCHSRVR\imcdata” from the Antivirus on-access scan.
A web-based application would not start. Quick solution was to stop the IIS Admin Service, which also stops the World Wide Web Publishing Service. Restart the World Wide Web Publishing Service, which restarts the IIS service. The application then worked fine.
I was getting this: “DCOM got error "Overlapped I/O operation is in progress. " and was unable to logon <domain>\administrator in order to run the server: {ID}”. I had changed the administrator password. I had to run “dcomcnfg” and find the Dcom object that was referenced by the ID (just searched in the registry). Load up dcomcnfg then reset the administrator password.


I fixed this issue by synchronizing the IWAM account between the IIS Metabase and the user database. See ME297989.
This error was fixed by running the Synciwam.vbs file as mentioned in the other comments. The problem was caused by installing IIS on a member server, then promoting it to domain controller. This caused the local IWAM and IUSR accounts to become unsynchronized. The promotion to domain controller did not migrate these accounts. This has been repeated on other machines. One good advice here is to only install IIS after running DCPROMO or simply use the script if you cannot do that.
This event also occured after installing Microsoft's ME321599 Hotfix. The hotfix restarts automatically the web services but for some reason this process failed. The problem was solved by running iisreset on a command prompt.
I fixed this problem (from a different Dcom module) by taking the machine (W2K Server) out off the domain and putting it back. Not really nice, but it worked.
I ran into this when I promoted a server to a domain controller without transferring the local user accounts. See ME269367 on how to fix the problem.
If error 80110414 is generated when you use Synchiwam.vbs then have a look at ME269367.
Similar error, "Logon failure: unknown user name or bad password. " and was unable to log on to DOMAIN\user in order to run ther server {179894D5-B853-4F32-A7C1-7B2E7F69D271}. This particular Class refers to Network Associates' ePolicy Orchestrator Agent, and was probably caused by a password change on DOMAIN\user. Change the logon information in the ePolicy console to the new password.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...