10009 DCOM error: server trying to communicate with ISP DNS server using DCOM I am almost there!!!!

Discussion in 'Active Directory' started by Spin, Dec 9, 2005.

  1. Spin

    Spin Guest

    Experts,

    I have almost got this figured out! Old info first followed by the new
    tidbit at the end. Running Windows Server 2003 SP1. Running about 10 small
    public web sites on it. This is a single-server pointing to itself for DNS
    and running Active Directory. The AD zone is standard primary with "Secure
    and Non-secure" updates set to 'Yes'. All other zones (for the 10 small
    public web sites) have dynamic updates turned "off". None of those have
    name servers pointing to my ISP. They do however use the Notify feature to
    transfer to them a secondary zone. In DNS, under Forwarders, are the two IP
    addresses for my ISP's DNS server in question. They were also entered into
    the properties of the Default Virtual SMTP Server so that Exchange running
    on this box could do reverse lookups on the domains of incoming mail but I
    have removed those. The event ID error below basically indicates my server
    cannot communicate with my ISP server. I can understand that problems
    sometimes happens, as my ISP is hosting my secondary zones for the 10 small
    public web sites. But why is the server trying to communicate with it using
    DCOM? I would assume it would only try to communicate with it using
    standard tcp over port 53 (zone transfer). I have been over every square
    inch of this server. DCdiag results also keep telling me I'm using the two
    ISP's DNS servers mentioned but I could not see how/where I am doing that
    anywhere within the GUI. The Preferred and Alternate DNS servers for this
    server points to itself under network properties. The one new thing I have
    discovered with the help of Ace/Kevin is that I do have a reverse one for my
    server delegated to me by my ISP. Given that, what do I need to do with/in
    this zone to make my server stop trying to register in it??

    Event Type: Error
    Event Source: DCOM
    Event Category: None
    Event ID: 10009
    Date: 12/2/2005
    Time: 8:35:30 AM
    User: N/A
    Computer: EBIZ-GATE
    Description:
    DCOM was unable to communicate with the computer <ISP DNS> using any of the
    configured protocols.
     
    Spin, Dec 9, 2005
    #1
    1. Advertisements

  2. In
    Is the ISP's DNS listed in the nameserver tab of any of the zones?


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Windows Server Directory Services
    Microsoft Certified Trainer
    Assimilation Imminent. Resistance is Futile.
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], Dec 10, 2005
    #2
    1. Advertisements

  3. Spin

    Spin Guest

    Yes it was Ace, in just one of the zones (the one at the bottom of the list
    under Forward Lookup Zones). I just checked all of them again based on your
    question. Crossing my fingers this will work.
     
    Spin, Dec 10, 2005
    #3
  4. In
    Ok.

    Curious, which zone and why was it in there?

    Ace
     
    Ace Fekay [MVP], Dec 10, 2005
    #4
  5. Spin

    Spin Guest

    It was under one of the public zones supporting a public web site which I
    forgot or overlooked had been there. I put it there a long time ago based
    generally on my lack of knowledge concerning public zone DNS setup, but then
    I removed them (but forgot about that one) once I got smarter. Basically
    since this server is the SOA and Master Name Server for each public zone, I
    thought I had to put an NS record in each public zone hosting a web site and
    pointing to each of my ISP's DNS servers. I now realize this is
    unnecessary. What I do instead is use the "Notify" feature to transfer a
    secondary copy of the public zones to my ISP, and only give the world the
    address of the two ISP DNS servers as the primary and secondary name servers
    for my sites. That way at least they are not hitting my server for udp port
    53 DNS queries, and only instead go to my server over over port 80 for the
    web sites themselves. Does this sound reasonable?
     
    Spin, Dec 10, 2005
    #5
  6. In
    Yes, it does, as long as the ISP is supporting that for you. I can't see the
    Notify causing a DCOM error since I do not believe it uses DCOM rather just
    a notification packet saying there is a change and come and get it.

    Let me/us know if you are still getting them.

    Ace
     
    Ace Fekay [MVP], Dec 11, 2005
    #6
  7. Spin

    Spin Guest

    Ace, just looked at my event logs this morning I saw that I am still getting
    them. :-(
     
    Spin, Dec 12, 2005
    #7
  8. In
    Apparently at this point, it seems obvious one of them is causing this. Do
    you have a reverse zone? Is that using the ISP in the nameserver tab? Is the
    reverse zone delegated to you from your ISP?

    Maybe a far off suggetion (and kind of crazy), but if I can suggest to
    remove the zones one by one (but save the .dns files), then re-create them
    from your .dns files, until you figure out which one it is.

    Ace
     
    Ace Fekay [MVP], Dec 13, 2005
    #8
  9. Spin

    Spin Guest

    Hi Ace,

    Yes, I do have a reverse zone. It is not using the ISP in the nameserver
    tab. Yes, the reverse zone is delegated to me from my ISP. Per your expert
    advice, I have removed the reverse zone (but saved the .dns file) and will
    now take a wait-and-see approach.
     
    Spin, Dec 13, 2005
    #9
  10. How did your ISP set up the delegation?
    Did you create the zone with the proper name?

    There are several methods ISP's use when delegating reverse zones, you must
    use the method they use. If you don't, it can cause a DNS loop. If your
    server is trying to register a PTR in the zone, I would expect some very odd
    behavior.
    Depending on your ISP you may be able to have the zone delegated to you and
    still keep a reverse zone with your ISP. My ISP delegated my reverse to me,
    giving me the SOA Master, then it was just a simple matter of adding my ISP
    NS records in addition to mine and allowing zone transfers back to the ISP.
    This works great because it allows me to have the Master reverse zone and
    still keep my reverse zone on my ISP's high speed, high bandwidth DNS
    servers.
    http://www.dnsstuff.com/tools/lookup.ch?name=208.91.65.65.in-addr.arpa&type=NS
    http://www.dnsstuff.com/tools/lookup.ch?name=208.91.65.65.in-addr.arpa&type=SOA

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    https://secure.lsaol.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Dec 13, 2005
    #10
  11. In
    Kevin, that may be the whole issue. It was the only other thing I can think
    of. If the delegation wasn't done properly or if Spin didn't create the zone
    as per the delegated format (if subnetted), then I can see the machines are
    trying to establsh a DCOM session to update into the ISP's zone.

    Ace
     
    Ace Fekay [MVP], Dec 14, 2005
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.