DCOM error Event ID: 10016 during the execution of an eDiscovery Platform (eDP) process.

Problem

While executing a shared process (example: data ingestion, exports, cache, Production folder locks... etc...), there is an increased request for additional assistance by other servers outside of the case home server.  If the DCOM actions are blocked, the request will fail.

Error Message

<< System Event Log >>

ERROR:  
Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          4/8/2020 1:56:32 PM
Event ID:      10016
Task Category: None
Level:         Error
Keywords:      Classic
User:          edp\edpadmin3
Computer:      Server01.cwlab.edp
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user EDP\edpadmin3 SID (S-1-2-34-1234567890-1234567890-1234567890-123456) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Cause

There are several eDP processes that are performed through Distributed Component Object Model (DCOM) within a Distributed Architecture as well as a Stand Alone server environment.  If the DCOM broadcast is blocked, a System Event log is generated.

Solution

The solution is two phased.  Phase one is to allow the DCOM permissions of the blocking process to be modified.  Phase two is to add the blocked account the permissions to launch the blocked process.
  The following instructions are based upon the error listed in this technical article, for user EDP\edpadmin3 being prevented from running the RuntimeBroker process.  The APPID and USER in the customers DCOM error will vary within each customer environment.

Phase One:  Increase permissions

(Repeat steps for each eDP server in the cluster)

1. Log into the eDPClearwell server as a Domain Administrator account

2. Start > Run > regedit
Search for component of interest:
Using the example error above, the CLSID for the APPID is: 9CA88EE3-ACB7-47C8-AFC4-AB702511C276

3. From the left pane Right click on the key and select 'Permissions'

4. Click 'Advanced'

5. Change the owner from 'TrustedInstaller' to 'Administrator' (domain account)

After:

6. Click 'Apply'

7. Double click on 'Administrators' and add 'Full Control' permission and press 'OK'.

8. Verify the 'Administrators' account has 'Full Control' Access.

9. Click 'Apply' > 'OK'  to activate the new permissions.

10. Change the class file ownership back to the 'TrustedInstaller' account.

Just as in Step 4 and 5, press 'Advanced' button and 'change' the owner from 'Administrator' to 'TrustedInstaller'
NOTE:  The 'TrustedInstaller' account is local to the server and is found as NT SERVICE\TrustedInstaller.

Change the 'Locations...' to the local server

Enter the object name: NT SERVICE\TrustedInstaller > Press 'OK'

Verify the change owner to 'TrustedInstaller'

11. Press 'Apply' > 'OK' > 'OK'

12. Close the registry editor.

_______________________

Phase 2:

1. Open the DCOM Configuration page.  Start > Run > dcomcnfg

2. Navigate to: Component Services > Computers > My Computer > DCOM Config > RuntimeBroker





Note:  If there is more than one RuntimeBroker, right-click > properties and compare the Application ID: to the AppID reported in the error.

3. Right-Click > Properties > Security tab > Edit the 'Launch and Activation Permissions'

 Press Cancel button if the Windows Security popup appears.
 

4. Add the account listed in the Event error (example: EDP\edpadmin3) with 'Local Launch' and 'Local Activation' set to 'Allow'

5. Press 'OK'  >  'Apply'  > 'OK'

6. Close the Component Services window.

7. Reboot the server.